yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deft/tracker.org
Yann Esposito (Yogsototh) 9b0f0cd792
tracker.org
2021-12-21 11:47:24 +01:00

1918 lines
69 KiB
Org Mode
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

* 2021
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W03.org][2021-W03]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W04.org][2021-W04]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W05.org][2021-W05]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W06.org][2021-W06]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W07.org][2021-W07]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W08.org][2021-W08]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W09.org][2021-W09]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W10.org][2021-W10]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W11.org][2021-W11]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W12.org][2021-W12]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W13.org][2021-W13]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W14.org][2021-W14]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W15.org][2021-W15]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W16.org][2021-W16]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W17.org][2021-W17]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W18.org][2021-W18]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W19.org][2021-W19]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W20.org][2021-W20]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W21.org][2021-W21]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W22.org][2021-W22]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W23.org][2021-W23]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W24.org][2021-W24]]
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W25.org][2021-W25]]
** 2021-W33
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-28 Thu 18:16]
| Tags | Headline | Time | | | |
|---------------+----------------------------------------------+------+------+------+------|
| | *Total time* | *6:19* | | | |
|---------------+----------------------------------------------+------+------+------+------|
| | \_ 2021-W33 | | 6:19 | | |
| | \_ 2021-08-16 Monday | | | 1:52 | |
| work | \_ Fix Carlos Hidalgo account | | | | 0:20 |
| work | \_ create an issue about email... | | | | 1:32 |
| | \_ 2021-08-17 Tuesday | | | 2:48 | |
| work | \_ Add scope to TG clients | | | | 0:38 |
| work | \_ Write an issue about 1-click... | | | | 2:03 |
| work, chat | \_ Jyoti about CDO 1-click module setup | | | | 0:07 |
| | \_ 2021-08-19 Thursday | | | 1:39 | |
| work, meeting | \_ Interview Olivier Barbeau | | | | 1:39 |
#+END:
*** 2021-08-16 Monday
**** DONE Fix Carlos Hidalgo account :work:
:LOGBOOK:
CLOCK: [2021-08-16 Mon 15:11]--[2021-08-16 Mon 15:31] => 0:20
:END:
[2021-08-16 Mon 15:11]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*create an issue about email search case sensitivity][create an issue about email search case sensitivity]]
**** DONE create an issue about email search case sensitivity :work:
SCHEDULED: <2021-08-16 Mon>
:LOGBOOK:
CLOCK: [2021-08-17 Tue 14:16]--[2021-08-17 Tue 15:44] => 1:28
CLOCK: [2021-08-16 Mon 15:03]--[2021-08-16 Mon 15:07] => 0:04
:END:
[2021-08-16 Mon 15:03]
- ref :: https://github.com/threatgrid/response/issues/818
***** Fix email case sensitivity
> Related https://github.com/threatgrid/response/issues/818
We often need to search by email. The main issue being that, currently our
search mechanism does not support case insensitive matches.
We have 4 possible solutions:
1. Lower case the user email at creation. We need to also update the user
emails in our DB. The safest route to achieve this will be via the
iroh-migration service.
2. Keep the email case sensitive and add a new case insensitive field =lc-user-email=
for example. But same as for case 1, we need to perform a DB migration to
add this new field to all existing user in DB.
3. Add support for case insensitive search in tk-store, perhaps with a new
tk-store service, or improving current =CRUDStoreService.=
4. Add a specific service just for search user emails that could take care
of this specific case by using a Postgres specific query. This could
also be the occasion to provide a tk-store hole in the abstraction service.
The simplest is probably option 1.
Option 2 would be slightly more complex and we would not lose any detail.
Option 3 seems the most generic one, and we could totally imagine we would
appreciate a case insensitive search support.
Option 4 looks like a specific case of 3.
My preference then goes to option 3, but we need to understand if this is
not too difficult to achieve, what would be the API? The most natural one
would probably add an option along =filter-map= like =case-insensitive-fields=.
One issue would be to write the support for case insensitive match for =atom=
and =redis=.
**** TODO Interview Steven Collins
:LOGBOOK:
CLOCK: [2021-08-16 Mon 15:49]--[2021-08-16 Mon 19:04] => 3:15
:END:
*** 2021-08-17 Tuesday
**** DONE Add scope to TG clients :work:
DEADLINE: <2021-08-18 Wed>
:LOGBOOK:
CLOCK: [2021-08-17 Tue 17:54]--[2021-08-17 Tue 18:32] => 0:38
:END:
[2021-08-17 Tue 17:54]
In tenzin config:
#+begin_src
- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2
- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513
- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5
- EU: a1662193-9155-44fd-aa1f-43afd42c889c
#+end_src
**** DONE Write an issue about 1-click module setup :work:
SCHEDULED: <2021-08-17 Tue>
:LOGBOOK:
CLOCK: [2021-08-17 Tue 15:51]--[2021-08-17 Tue 17:54] => 2:03
:END:
[2021-08-17 Tue 15:51]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Activation Optimization][Activation Optimization]]
**** CHAT Jyoti about CDO 1-click module setup :work:chat:
:LOGBOOK:
CLOCK: [2021-08-17 Tue 15:44]--[2021-08-17 Tue 15:51] => 0:07
:END:
[2021-08-17 Tue 15:44]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Epics][Epics]]
*** 2021-08-19 Thursday
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp t :link t :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-08-19 Thu 17:43]
| Timestamp | Tags | Headline | Time | | | |
|------------------------+---------------+-----------------------------------+------+---+------+------|
| | | *Total time* | *1:39* | | | |
|------------------------+---------------+-----------------------------------+------+---+------+------|
| | | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-08-19 Thursday][2021-08-19 Thursday]] | | | 1:39 | |
| [2021-08-19 Thu 16:04] | work, meeting | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Interview Olivier Barbeau][Interview Olivier Barbeau]] | | | | 1:39 |
#+END:
**** MEETING Interview Olivier Barbeau :work:meeting:
:LOGBOOK:
CLOCK: [2021-08-19 Thu 16:04]--[2021-08-19 Thu 17:43] => 1:39
:END:
[2021-08-19 Thu 16:04]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Self Presentation][Self Presentation]]
** 2021-W35
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-28 Thu 18:15]
| Tags | Headline | Time | | | |
|---------------+---------------------------+------+------+------+------|
| | *Total time* | *2:54* | | | |
|---------------+---------------------------+------+------+------+------|
| | \_ 2021-W35 | | 2:54 | | |
| | \_ 2021-09-02 Thursday | | | 2:54 | |
| work, meeting | \_ Weekly meeting | | | | 2:54 |
#+END:
*** 2021-09-02 Thursday
**** MEETING Weekly meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-09-02 Thu 17:06]--[2021-09-02 Thu 20:00] => 2:54
:END:
[2021-09-02 Thu 17:06]
Guillaume start about the *Design Planning* github project.
- SecureX session
- High Impact Incident
Sorry
** 2021-W36
*** 2021-09-08 Wednesday
**** MEETING 1-click module setup weekly meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-09-08 Wed 17:30]--[2021-09-08 Wed 18:22] => 0:52
:END:
[2021-09-08 Wed 17:30]
- ref :: https://miro.com/app/board/o9J_l57_gro=/
Miro dashboard from Chloe:
https://miro.com/app/board/o9J_l57_gro=/
Discussion:
When to TEST, tomorrow.
Asking for client_id in TEST.
Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06
*** 2021-09-09 Thursday
**** MEETING Interview: Florin Braghis :work:meeting:
:LOGBOOK:
CLOCK: [2021-09-09 Thu 15:49]--[2021-09-09 Thu 18:45] => 2:56
:END:
[2021-09-09 Thu 15:49]
** 2021-W37
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-28 Thu 18:15]
| Tags | Headline | Time | | | |
|---------------+---------------------------+-------+-------+-------+-------|
| | *Total time* | *22:11* | | | |
|---------------+---------------------------+-------+-------+-------+-------|
| | \_ 2021-W37 | | 22:11 | | |
| | \_ 2021-09-14 Tuesday | | | 1:04 | |
| work | \_ Device Grant | | | | 1:04 |
| | \_ 2021-09-16 Thursday | | | 21:07 | |
| work, meeting | \_ Team weekly | | | | 21:07 |
#+END:
*** 2021-09-14 Tuesday
**** IN-PROGRESS Device Grant :work:
:LOGBOOK:
CLOCK: [2021-09-14 Tue 19:31]--[2021-09-14 Tue 20:35] => 1:04
:END:
[2021-09-14 Tue 19:31]
- ref ::
*** 2021-09-16 Thursday
**** MEETING Team weekly :work:meeting:
:LOGBOOK:
CLOCK: [2021-09-16 Thu 17:25]--[2021-09-17 Fri 14:32] => 21:07
:END:
[2021-09-16 Thu 17:25]
Ambrose, Irina, Guillaume, Matt, Yann
TO MENTION: Device Grant with FMC => Public clients
***** Incident discussion
*** 2021-09-17 Friday
**** MEETING Presenting the projects :work:meeting:
[2021-09-17 Fri 14:32]
- ref :: https://github.com/advthreat/iroh/projects
.
***** Pres
****** General
******* Project Organization
Every project has an owner (main point of contact for the FT)
Now only leads, but could be anyone in the future.
****** [Design] Shared IROH Auth Session
Goal of this Project which is not an official FT is to reflect and write
proposals to reach the feeling of a shared session across all Cisco
Security products via SecureX.
+ solution using cookies
+ solution using Open ID Connect
.
****** [Design] High Impact Incident
/Guillaume Ereteo/ made an awesome work to provide multiple proposals to be
able to deliver the feature as fast as possible.
1. filter on source (only AMP)
2. Add severity on incident model
3. Incident with high impact via an IROH route: https://github.com/advthreat/iroh/issues/5710
+ needs the proxy from Ambrose
+ need sync with engine team too
****** SecureX Suite Session Improvement
Delivered yesterday in v1.81
Limit the number of interstitial pages between SecureX and CTR/SSE
+ For orbital, missing the Launch button, the back end work is done as we do
not need any SXSO app link.
****** [HOLD] Cisco Secure Client Integration
Still no work to be done by the IROH Services team
****** Hiring
Since last meeting two new hires will join us in next few weeks.
Kiril and Olivier.
Kiril lives in Germany and Olivier in France.
****** 1-Click Module Setup
In progress integration by CDO and SWC
/Irina/ worked to provide the vault metadata API for SWC.
AMP is in the QA test phase.
****** ModuleType updates
Just saw the rename of "Threat Grid" into "Secure Malware Analytics"
****** [HOLD] CTIA Hydrant support
****** CTIA Incident Manager Improvement
****** Bug Squashing
+ Fix a bug where a user could login to org that reject non-admin user login
+ Fix a refresh token bug that would provide too much scopes to an access token
+ Login Page url parsing potential discrepancy fixed
****** [HOLD] ES 7 Migration
****** Device Insights Integration
- Wanderson: Webhooks work, trigger a notification for every
module-instance configuration change.
****** AppLinks API
****** SSE API Extension & OAuth2 Device Grant
+ FMC ⇒ public clients for Device Grants
****** Incident Assignment Notifications
/Ambrose/ worked to make IROH a proxy to private intel for incident
assignments notifications.
Should be delivered in v1.82
** 2021-W39
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-28 Thu 18:15]
| Tags | Headline | Time | | | |
|---------------+----------------------------+------+------+------+------|
| | *Total time* | *6:30* | | | |
|---------------+----------------------------+------+------+------+------|
| | \_ 2021-W39 | | 6:30 | | |
| | \_ 2021-09-29 Wednesday | | | 3:18 | |
| work, meeting | \_ Interview | | | | 3:18 |
| | \_ 2021-10-01 Friday | | | 3:12 | |
| work, meeting | \_ App Links | | | | 1:41 |
| work, meeting | \_ Secure Client | | | | 1:31 |
#+END:
*** 2021-09-29 Wednesday
**** MEETING Interview :work:meeting:
:LOGBOOK:
CLOCK: [2021-09-29 Wed 16:12]--[2021-09-29 Wed 19:30] => 3:18
:END:
[2021-09-29 Wed 16:12]
- ref :: [[file:~/dev/ring-jwt-middleware/src/ring_jwt_middleware/core.clj::jwt-check-fn (s/=> s/Any s/Str JwtClaims)]]
*** 2021-10-01 Friday
**** MEETING App Links :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-01 Fri 17:26]--[2021-10-01 Fri 19:07] => 1:41
:END:
[2021-10-01 Fri 17:26]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
**** MEETING Secure Client :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-01 Fri 15:55]--[2021-10-01 Fri 17:26] => 1:31
:END:
[2021-10-01 Fri 15:55]
Meeting link:
https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e
** 2021-W40
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-28 Thu 18:15]
| Tags | Headline | Time | | | |
|---------------+-----------------------------------------+-------+-------+-------+-------|
| | *Total time* | *38:18* | | | |
|---------------+-----------------------------------------+-------+-------+-------+-------|
| | \_ 2021-W40 | | 38:18 | | |
| | \_ 2021-10-05 Tuesday | | | 0:46 | |
| work | \_ Training Interviewing | | | | 0:46 |
| | \_ 2021-10-07 Thursday | | | 32:04 | |
| work, meeting | \_ DI blockers | | | | 23:32 |
| work | \_ support | | | | 1:16 |
| work, chat | \_ check continu | | | | 6:38 |
| work, chat | \_ support DI JWT signature | | | | 0:19 |
| work, support | \_ client update via admin for CMD | | | | 0:18 |
| work, chat | \_ Check webex matinal. | | | | 0:01 |
| | \_ 2021-10-08 Friday | | | 5:28 | |
| work, meeting | \_ IDB decomissioning | | | | 2:28 |
| work, meeting | \_ Customer Manager | | | | 3:00 |
#+END:
*** 2021-10-05 Tuesday
**** MEETING DI weekly :work:meeting:
[2021-10-05 Tue 15:30]
#+begin_quote
From Yuri
Hi,
Things Id like to discuss on our today sync meeting:
1. The integration modules screen:
a. When will all the modules be updated with the relevant text?
b. When will all the modules be deployed to production?
c. Same goes for the DI module? Need help in updating its text and taking it to production as well
d. The filter by capability for device insights currently shows an empty result in production
2. Integration code
a. Is there still some integration code that is pending?
i. What is the status of https://github.com/advthreat/iroh/issues/5680?
ii. Any other open issues?
b. Any blockers that you see for deploying to production?
3. Assets API QA?
#+end_quote
1.a. doc team
1.b
2.a
**** IN-PROGRESS Training Interviewing :work:
:LOGBOOK:
CLOCK: [2021-10-05 Tue 14:44]--[2021-10-05 Tue 15:30] => 0:46
:END:
[2021-10-05 Tue 14:44]
***** Past Perf Predict the Future
*Behaviorial questions*
- tell me about a time when...
- Where and how have you used ,,, to achieve ,,,
- Walk me through the system/process/etc...
*Behavioral questions better*
More specific to their experience, not generic.
- concise
- clear
- relevant
- practiced
- tailored to the job
***** Real Purpose of interviewing
Predict whether or not they'd be successful in our company
Evidence?
- Yes, specific examples
- Yes, demonstration
What the candidate will think about the question.
****** Clear on hiring criteria
*skills & knownledge, attributes, achievements, motivations*
targeted probing behavioral interviewing.
Go deep, specific, examples.
Ask the *how* to detect liars, lack of honesty.
- what ,,, what did you do, what was your role, etc...
Question need specific responses.
Do brainteasers work? no
Use problem solving questions; how would you do/solve/etc...?
Examples:
- role play question. ×
- problem they solved. ✓
What work-related experience(s) changed your opinion(s) on something?
****** On Question to rule them all?
Combination question.
Find combo questions.
*Probing*
*** 2021-10-07 Thursday
**** MEETING DI blockers :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-07 Thu 18:01]--[2021-10-08 Fri 17:33] => 23:32
:END:
[2021-10-07 Thu 18:01]
#+begin_quote
@Yuri:
Ive opened the issues there, still need to set priorities.
Here is the list of the issues Im currently aware of that are important
for the release:
1. https://github.com/advthreat/iroh/issues/5680 - didnt open a new ticket for this one, since it already has tracking.
2. Umbrella module -
a. Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936
3. filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937
If you know of something else, please add here
@Matt:
2.a is also tracked here https://github.com/advthreat/iroh/issues/5821
#+end_quote
1. Doc discussion 30min
2. show time (Yuri share chat)
**** IN-PROGRESS support :work:
:LOGBOOK:
CLOCK: [2021-10-07 Thu 16:45]--[2021-10-07 Thu 18:01] => 1:16
:END:
[2021-10-07 Thu 16:45]
- ref :: https://github.com/threatgrid/tenzin/issues/1530
new-org
#+begin_src js
{
"id": "00000000-0000-0000-6473-000028fbaa95",
"name": "GATE/Tier3",
"enabled?": true,
"created-at": "2021-10-07T17:00:00.000Z",
"scim-status": "activated",
"additional-scopes": [
"iroh-master:read",
"iroh-admin:read",
"iroh-master/tac",
"iroh-auth:read"]
}
#+end_src
Idp Mapping INT/TEST
#+begin_src js
{
"idp": "sxso",
"user-identity-id": "00uox5862kEG8G0CD0h7",
"enabled?": true
}
#+end_src
IdP Mapping PROD
#+begin_src js
{
"idp": "sxso",
"user-identity-id": "00u4dmbgyjnx4glS2357",
"enabled?": true
}
#+end_src
Users to invite:
#+begin_src js
[{"invitee-email":"ashakarc@cisco.com","role":"admin"},
{"invitee-email":"bmacer@cisco.com", "role":"admin"},
{"invitee-email":"caknowle@cisco.com","role":"admin"},
{"invitee-email":"cdeleanu@cisco.com","role":"admin"},
{"invitee-email":"daphgalm@cisco.com","role":"admin"},
{"invitee-email":"djanulik@cisco.com","role":"admin"},
{"invitee-email":"bmahsan@cisco.com", "role":"admin"},
{"invitee-email":"majacob2@cisco.com","role":"admin"},
{"invitee-email":"sorianto@cisco.com","role":"admin"},
{"invitee-email":"stabulic@cisco.com","role":"admin"}]
#+end_src
**** CHAT check continu :work:chat:
:LOGBOOK:
CLOCK: [2021-10-07 Thu 10:07]--[2021-10-07 Thu 16:45] => 6:38
:END:
[2021-10-07 Thu 10:07]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*support DI JWT signature][support DI JWT signature]]
**** CHAT support DI JWT signature :work:chat:
:LOGBOOK:
CLOCK: [2021-10-07 Thu 09:45]--[2021-10-07 Thu 10:04] => 0:19
:END:
[2021-10-07 Thu 09:45]
- ref :: https://github.com/advthreat/iroh/issues/5680
**** IN-PROGRESS client update via admin for CMD :work:support:
:LOGBOOK:
CLOCK: [2021-10-07 Thu 09:27]--[2021-10-07 Thu 09:45] => 0:18
:END:
[2021-10-07 Thu 09:27]
- ref :: https://github.com/advthreat/iroh/issues/5827
Cisco Secure Email Cloud Mailbox
- module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396
- ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55
- module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e
- ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969
**** CHAT Check webex matinal. :work:chat:
:LOGBOOK:
CLOCK: [2021-10-07 Thu 09:26]--[2021-10-07 Thu 09:27] => 0:01
:END:
[2021-10-07 Thu 09:26]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/journal/2021/2021-10-07.org::*09:20][09:20]]
**** PAUSE Journal :pause:
:LOGBOOK:
CLOCK: [2021-10-07 Thu 09:20]--[2021-10-07 Thu 09:26] => 0:06
:END:
[2021-10-07 Thu 09:20]
*** 2021-10-08 Friday
**** MEETING IDB decomissioning :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-08 Fri 20:33]--[2021-10-08 Fri 23:01] => 2:28
:END:
[2021-10-08 Fri 20:33]
- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj][file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj]]
- SSE side decomission
Chander Goyal
context; SX released as a platform, SSE had a PingFed ID Broker.
Also for CSA.
We want to user IROH-Auth.
We want to use directly IROH-Auth.
CSA Migration was launched.
SSE-side done.
CSA should be completed very soon.
Let's not change PingFed.
Nov 1919 -> nobody left in PingFed at SSE.
Very limited knowledge.
The license was Cisco Wideside license.
end in 2022.
We want to duplicate PingFed.
**** MEETING Customer Manager :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-08 Fri 17:33]--[2021-10-08 Fri 20:33] => 3:00
:END:
[2021-10-08 Fri 17:33]
- ref :: ,,,
** 2021-W41
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-28 Thu 18:15]
| Tags | Headline | Time | | | |
|------+----------------------------------------------+------+------+------+------|
| | *Total time* | *1:35* | | | |
|------+----------------------------------------------+------+------+------+------|
| | \_ 2021-W41 | | 1:35 | | |
| | \_ 2021-10-14 Thursday | | | 1:35 | |
| work | \_ Write Customer Manager doc | | | | 1:10 |
| work | \_ write attack on Webhooks with JWT... | | | | 0:25 |
#+END:
*** 2021-10-14 Thursday
**** IN-PROGRESS Write Customer Manager doc :work:
:LOGBOOK:
CLOCK: [2021-10-14 Thu 15:23]--[2021-10-14 Thu 16:33] => 1:10
:END:
[2021-10-14 Thu 15:23]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*write attack on Webhooks with JWT from emitters][write attack on Webhooks with JWT from emitters]]
**** IN-PROGRESS write attack on Webhooks with JWT from emitters :work:
:LOGBOOK:
CLOCK: [2021-10-14 Thu 14:58]--[2021-10-14 Thu 15:23] => 0:25
:END:
[2021-10-14 Thu 14:58]
Attack using access_token/id_token from emitters and not webhook owner.
Webhooks are a generic mechanism; but here we only focus on webhook used by
internal Cisco team integration.
So the webhook mechanism should be used to push a trusted API that a
changed occurred in SecureX (typically module instance change).
The call must be authenticated by the API.
The call should also optionally contain access/refresh tokens to the
destination so the integration team could access IROH as the event's
emitter user.
The issue is that, nothing is explicitly done to prevent any user to get an
access/id token generated from the same client we use to forge the
authentication headers.
So it means, that a SecureX user from any org that could get access to its
own access token/id token (which is entirely possible, and easy to get for
DI as their client is public).
So any user could call the API endpoint to fake real webhook events, and
potentially using cross-tenancy/cross-user false events.
So to mitigate this issue, we suggest to:
1. Always use the owner of the webhook & the client of the team to build
id_tokens, (if possible not access_token).
The forged JWT should have a specific audience (this is already the case
for DI at least). The API team *MUST* check that the =sub= claim matches the
=owner-id= field of the webhook as well as verifying the JWT signature.
2. Provide the emitter tokens in the body of the HTTP call made during
webhook trigger.
- With 1, we prevent this cross-tenant/cross-user attack.
- With 2, we not only provide even more data than before but the team could
directly use the token without using the "custom route" to retrieve the
refresh token (as it is already provided in the webhook HTTP body)
** 2021-W42
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-28 Thu 18:15]
| Tags | Headline | Time | | | |
|-------------------+---------------------------------------------+------+------+------+------|
| | *Total time* | *9:45* | | | |
|-------------------+---------------------------------------------+------+------+------+------|
| | \_ 2021-W42 | | 9:45 | | |
| | \_ 2021-10-19 Tuesday | | | 6:59 | |
| work | \_ whitelist synopsis.com in TEST | | | | 6:59 |
| | \_ 2021-10-21 Thursday | | | 1:13 | |
| work, meeting | \_ Weekly IROH Service Team | | | | 0:09 |
| work, meeting | \_ FMC - Device Grant OAuth2 Flow Sync | | | | 0:24 |
| work, meeting, me | \_ Secure Client | | | | 0:40 |
| | \_ 2021-10-22 Friday | | | 1:33 | |
| work, meeting | \_ Engineering Team | | | | 1:33 |
#+END:
*** 2021-10-18 Monday
**** TODO Write Weekly todos :work:
[2021-10-18 Mon 10:56]
- ref ::
***** DONE Check Wanderson PRs/Webhooks
SCHEDULED: <2021-10-18 Mon>
***** DONE Customer Manager Doc
SCHEDULED: <2021-10-19 Tue>
***** DONE IROH-Auth tour
****** DONE Organize invitations for IROH-Auth tour + bugfix, etc...
DEADLINE: <2021-10-18 Mon>
***** DONE Discuss Exceptions organization
SCHEDULED: <2021-10-18 Mon>
*** 2021-10-19 Tuesday
**** DONE whitelist synopsis.com in TEST :work:
DEADLINE: <2021-10-19 Tue>
:LOGBOOK:
CLOCK: [2021-10-19 Tue 09:04]--[2021-10-19 Tue 16:03] => 6:59
:END:
[2021-10-19 Tue 09:04]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Olivier][Olivier]]
*** 2021-10-21 Thursday
**** MEETING Weekly IROH Service Team :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-21 Thu 17:16]--[2021-10-21 Thu 17:25] => 0:09
:END:
[2021-10-21 Thu 17:16]
***** Remark to tell
- Internal JWT generation, with/without client.
- Next week IROH-Auth tour probably record this.
**** MEETING FMC - Device Grant OAuth2 Flow Sync :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-21 Thu 16:27]--[2021-10-21 Thu 16:51] => 0:24
:END:
[2021-10-21 Thu 16:27]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
Updated Target Date.
No blocking issue or concerns.
We just finish delivering the feature.
Good to go for 7.2 release (in April).
Maybe maintenance release 7.0.2 in Feb.
**** MEETING Secure Client :work:meeting:me:
:LOGBOOK:
CLOCK: [2021-10-21 Thu 15:32]--[2021-10-21 Thu 16:12] => 0:40
:END:
[2021-10-21 Thu 15:32]
Jyoti discuss with a document how the 1-click module setup
should work and the constraints to obey.
*** 2021-10-22 Friday
**** MEETING Engineering Team :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-22 Fri 17:03]--[2021-10-22 Fri 18:36] => 1:33
:END:
[2021-10-22 Fri 17:03]
- Working closely to finalize 1-click module setup to work.
We faced an issue in using the same client for both the ribbon and the
1-click module setup.
This not really a blocker and a fix is in the way.
** 2021-W43
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags nil :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-11-03 Wed 10:24]
| Headline | Time | | | |
|----------------------------------------------+-------+-------+------+------|
| *Total time* | *19:46* | | | |
|----------------------------------------------+-------+-------+------+------|
| \_ 2021-W43 | | 19:46 | | |
| \_ 2021-10-25 Monday | | | 3:29 | |
| \_ IROH-Auth Overview | | | | 3:29 |
| \_ 2021-10-26 Tuesday | | | 4:35 | |
| \_ All Hands | | | | 0:48 |
| \_ AO | | | | 0:29 |
| \_ IROH-Auth tour | | | | 3:18 |
| \_ 2021-10-27 Wednesday | | | 0:19 | |
| \_ security | | | | 0:18 |
| \_ preparation IROH Auth Tour | | | | 0:01 |
| \_ 2021-10-28 Thursday | | | 2:33 | |
| \_ Weekly Team | | | | 0:51 |
| \_ SecureX + Secure Client + DI... | | | | 0:29 |
| \_ Weekly Sync: SecureX / Secure... | | | | 0:35 |
| \_ SSE =CCO_id= | | | | 0:38 |
| \_ 2021-10-29 Friday | | | 8:50 | |
| \_ AO disucssion + generic discusssions | | | | 1:00 |
| \_ Jyoti email about PROD module on INT | | | | 0:14 |
| \_ aide Matt URL encoding | | | | 0:50 |
| \_ code gen docs | | | | 2:48 |
| \_ Customer Manager doc | | | | 2:34 |
| \_ morning tour | | | | 1:06 |
| \_ configurable default sort | | | | 0:18 |
#+END:
*** 2021-10-25 Monday
**** MEETING IROH-Auth Overview :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-25 Mon 13:57]--[2021-10-25 Mon 17:26] => 3:29
:END:
[2021-10-25 Mon 13:57]
- ref ::
- services/iroh-auth
- lib/iroh-web/{core.clj,compojure-api.clj}
-
*** 2021-10-26 Tuesday
**** MEETING All Hands :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-26 Tue 18:12]--[2021-10-26 Wed 19:00] => 0:48
:END:
**** MEETING AO :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-26 Tue 17:43]--[2021-10-26 Wed 18:12] => 0:29
:END:
[2021-10-26 Tue 17:43]
- ref ::
**** MEETING IROH-Auth tour :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-26 Tue 14:25]--[2021-10-26 Tue 17:43] => 3:18
:END:
[2021-10-26 Tue 14:25]
- ref :: [[file:~/dev/iroh/dev-resources/config.edn::}}]]
***** org-level entities (clients)
1. makes user-id/owner-id optional ×
2. hack the User service, to create a fake org-level user.
#+begin_src clojure
(get-user org-id)
=> {:user-id org-id
:org-id org-id
:role "admin"
:scopes ,,,,}
#+end_src
search for entities, you should search for the owned entities + (if you are
an admin for the admin-level entities.)
during the ~create-client~ to add the ability to create client with that
specific owner.
Fun: filter-map => list of filter-map
#+begin_src clojure
;; inside an Org
{:addtional-scopes #{"cisco/user:read"}}
;;
{:addtional-scopes
{:user #{}
:admin #{"cisco/user:read"}}}
#+end_src
****** Hidden migration
(get-org ,,,,)
****** IROH-Crud
TK-Store => provide a minimalist abstraction to Databases.
IROH-CRUD => provide CRUD-only related abstractions
search that
#+begin_src clojure
(search ,,,,)
(iroh-crud/search-with-admin
{:,,,, :user-id xxx :org-id xxx})
=> (tk-store/search {:filter-map [{:user-id xxxx ,,,}
{:user-id xxxx :org-id org-id}]
})
#+end_src
****** update entities
To decide later:
1. any admin should be allowed to update the org-level entities.
2. some specific admin only should be allowed to update the org-level
entites (use another scope maybe?)
Probably option 1.
*** 2021-10-27 Wednesday
**** MEETING security :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-27 Wed 17:03]--[2021-10-27 Wed 17:21] => 0:18
:END:
[2021-10-27 Wed 17:03]
xx
auto loop
Proxy route
**** IN-PROGRESS preparation IROH Auth Tour :work:
:LOGBOOK:
CLOCK: [2021-10-27 Wed 12:06]--[2021-10-27 Wed 12:07] => 0:01
:END:
[2021-10-27 Wed 12:06]
- Continue on "org-level entities"
- Doc on JWT client expectations
- :load-path "" Dispatch work
- Dig if necessary
*** 2021-10-28 Thursday
**** Weekly Team :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-28 Thu 17:01]--[2021-10-28 Thu 17:52] => 0:51
:END:
[2021-10-28 Thu 17:01]
- ref ::
***** Agenda (to discuss about)
***** Notes
****** G2
ES deployed, start the migration
Old tenzin config pull-request I need to update.
Ag moving to the last step to set the default fields, which are required
for ES7.
Production Bug in CTIA investigate module
Fixed the pagination.
default search was not consistent.
PR on CTIA.
Made this default search configurable per store.
Ag, PR for the enrichment?
Ambrose, ops related.
@Jyoti discussion
****** Matt Integration
- DI Irina working adding new auth in the module
- Yann fixed a security issue affecting Umbrella
- 1-click setup started to work on the org activation
- Mark work on SSE
- former_title field (rebranding guidelines)
- working on a bug in Umbrella, source URL are wrong
- log all proxy requests
****** Auth
Y
(personal)
- IROH-Auth tour
- minor fix
- clean up SAML
- security bug fix
*IROH-Auth*
1. take a task
2. write PR doc
3. review PR doc
4. optional IROH-Auth tour webex(es)
5. code
Q2:
- region switching API
- account switching inside each region
Q3:
- org-level entities
*Big hidden work*
Working on OAuth2 bug.
A bit big PR, because will need a new service to store refresh tokens and
their metas.
And we should be able to migrate/update clients.
*Security Bug Fix*
Chris Duane was happy, it was the first declared bug by Jimmy Miller.
Olivier working on providing the API for the privacy team.
Not 100% fixed, still a problem with paths.
*AO migration to OIDC*
****** Jyoti
Questions about JWT used by DI, that call Orbital on behalf on someone
else.
***** Actions
- @Jyoti: should ask Yuri about which JWT are used.
- @Jyoti: AO for Q3 for the telemetry
**** SecureX + Secure Client + DI Integration :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-28 Thu 16:32]--[2021-10-28 Thu 17:01] => 0:29
:END:
[2021-10-28 Thu 16:32]
- ref :: https://cisco.webex.com/cisco/j.php?MTID=m3d2fe4735f7151dc690e000c8749ed0e
***** Discussion
****** Abhishek
- deployement
- Secure Client onboarding
- Secure Client always visible
- cannot read property from DI when adding module
- work on feature flag
.
@Paul: 1.84 today, so these fixes are going to be for date?
@Abishek: will more time to develop and test
.
****** Nirmesh Patel
- Secure Client always visible, real issue
**** Weekly Sync: SecureX / Secure Endpoint :work:meeting:
:LOGBOOK:
CLOCK: [2021-10-28 Thu 15:30]--[2021-10-28 Thu 16:05] => 0:35
:END:
[2021-10-28 Thu 15:30]
- ref :: https://cisco.webex.com/cisco/j.php?MTID=m6563218d7c961e691f62c539fc645607
What remains?
- Martin
1-click module setup
Restrict them to a region.
Who was impacted.
Nov 13th, for the 1-click module setup is at risk to be delayed.
- G2
no 1-click => nothing can happen
Dependency to deploy Secure Endpoint.
- Martin/Namrata
Jyoti is in active conversation.
- Martin/G2
Are we going to change the design?
Martin: We don't know Yet
- Vlad
Pb with Region.
An AMP tenant can only talk to 1 SecureX tenant.
- Martin
Maybe region selection.
- Release Nov 11th
- Relesases v1.85 10-Nov
.
***** Initiated SecureX 1-click module setup for Secure Endpoint
**** SSE =CCO_id= :work:discussion:
:LOGBOOK:
CLOCK: [2021-10-28 Thu 14:52]--[2021-10-28 Thu 15:30] => 0:38
:END:
[2021-10-28 Thu 14:52]
- ref :: https://github.com/advthreat/iroh/discussions/5754
So after giving more thoughts on the subject.
Here are some scenarios:
1. A person login via Okta with the email ~user-1@domain.com~
2. This person want to connect his account, then he must login via Okta
again but using another Okta account ~user-1@smart-account.com~ for example.
In this scenario there are two issues:
The first is that we do not control the Okta session.
The Okta session will keep being the one for ~user-1@smart-account.com~.
When the user will launch another product he will not use his usual
~user-1@domain.com~ Okta session.
The second, is that we should have a mechanism to understand that on the
second login, we don't want to login the user, but to merge two different
IdP accounts.
Mainly we will need to develop a new workflow, so a user could merge
multiple IdP accounts to his current SecureX account.
The implications are:
+ SecureX users should support multiple email addresses. (also note that
user login via TG have a non verified email addresses and are treated
separately on different login flows.)
+ We need to support more metas data in the IdP Mappings in general,
(typically the =CCO_id=). Now, what if a user login multiple times, and has
two different IdP Mapping with a different =CCO_id=.
+ We will need to provide a new route, that will present a new HTML page
similar to the login page but with subtle modifications.
We might, for example, negotiate another login buttons that will behave
differently (typically a login button forcing the user to use CCO).
In the end, it means we should deliver a "Merge a new Login" flow to
SecureX Accounts. And it doesn't seem to be trivial.
*** 2021-10-29 Friday
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-10-29 Fri 18:39]
| Tags | Headline | Time | | | |
|--------------+----------------------------------------------+------+---+------+------|
| | *Total time* | *8:50* | | | |
|--------------+----------------------------------------------+------+---+------+------|
| | \_ 2021-10-29 Friday | | | 8:50 | |
| work, chat | \_ AO disucssion + generic discusssions | | | | 1:00 |
| work, email | \_ Jyoti email about PROD module on INT | | | | 0:14 |
| work, chat | \_ aide Matt URL encoding | | | | 0:50 |
| work | \_ code gen docs | | | | 2:48 |
| work | \_ Customer Manager doc | | | | 2:34 |
| work | \_ morning tour | | | | 1:06 |
| work, review | \_ configurable default sort | | | | 0:18 |
#+END:
**** CHAT AO disucssion + generic discusssions :work:chat:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 17:39]--[2021-10-29 Fri 18:39] => 1:00
:END:
[2021-10-29 Fri 18:39]
**** PAUSE :pause:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 17:30]--[2021-10-29 Fri 17:38] => 0:08
:END:
[2021-10-29 Fri 17:30]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Jyoti email about PROD module on INT][Jyoti email about PROD module on INT]]
**** EMAIL Jyoti email about PROD module on INT :work:email:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 17:04]--[2021-10-29 Fri 17:18] => 0:14
:END:
[2021-10-29 Fri 17:04]
- ref ::
Hi Jyoti,
I checked on INT and in our org, there is an AMP module configured with the
PROD URL.
Chris told me we have a security requirement that no production customer
data can be in INT or TEST.
Do you know why this is needed, and if we could use a QA1 URL instead?
And if not, do you know who we could ask to see if this is still needed?
If I remember correctly, I think it was used to help makes demos.
Because of this I tend to be extra cautious about the
"allowed-login-origins" parameter (see
https://github.com/advthreat/tenzin-config/pull/505).
I don't want our INT access token to be sent in the wild.
Even without this module linking to PROD I would prefer not to send the INT
JWT on 3rd party.
Because if https://vercel.app is compromised anyone will be able to access
our INT environment, generally with administrator privileges.
Thanks,
Yann.
**** CHAT aide Matt URL encoding :work:chat:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 16:14]--[2021-10-29 Fri 17:04] => 0:50
:END:
[2021-10-29 Fri 16:14]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
**** PAUSE :pause:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 16:08]--[2021-10-29 Fri 16:14] => 0:06
:END:
[2021-10-29 Fri 16:08]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
**** IN-PROGRESS code gen docs :work:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 13:20]--[2021-10-29 Fri 16:08] => 2:48
:END:
[2021-10-29 Fri 16:07]
- ref :: [[file:~/dev/iroh/README.org::*Rebuild the generated doc][Rebuild the generated doc]]
**** CANCELED [#B] Customer Manager doc :work:
SCHEDULED: <2021-11-01 Mon 10:00>
:LOGBOOK:
- State "CANCELED" from "IN-PROGRESS" [2021-12-01 Wed 14:11]
CLOCK: [2021-10-29 Fri 11:02]--[2021-10-29 Fri 13:36] => 2:34
:END:
[2021-10-29 Fri 11:02]
- ref ::
**** morning tour :work:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 09:56]--[2021-10-29 Fri 11:02] => 1:06
:END:
[2021-10-29 Fri 09:56]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org::*Fortuneo: Amundi World (CW8)][Fortuneo: Amundi World (CW8)]]
**** REVIEW configurable default sort :work:review:
:LOGBOOK:
CLOCK: [2021-10-29 Fri 09:33]--[2021-10-29 Fri 09:51] => 0:18
:END:
[2021-10-29 Fri 09:33]
- ref :: https://github.com/threatgrid/ctia/pull/1163
** 2021-W44
*** 2021-11-03 Wednesday
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-11-03 Wed 18:16]
| Tags | Headline | Time | | | |
|-------------+------------------------------------+------+---+------+------|
| | *Total time* | *7:13* | | | |
|-------------+------------------------------------+------+---+------+------|
| | \_ 2021-11-03 Wednesday | | | 7:13 | |
| work | \_ Engagement pulse Teamspace | | | | 2:05 |
| work | \_ cleanup code | | | | 0:29 |
| work, email | \_ SSE potential bug | | | | 0:37 |
| work | \_ GH notif tour | | | | 0:27 |
| work, chat | \_ Discussion Guillaume | | | | 2:03 |
| work, email | \_ OIDC conf in Okta | | | | 0:01 |
| work, chat | \_ webex tour | | | | 1:31 |
#+END:
**** IN-PROGRESS Engagement pulse Teamspace :work:
:LOGBOOK:
CLOCK: [2021-11-03 Wed 16:11]--[2021-11-03 Wed 17:05] => 0:54
:END:
[2021-11-03 Wed 16:11]
- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/test_helpers/tk.clj:::conf (conf port)})]]
**** IN-PROGRESS cleanup code :work:
:LOGBOOK:
CLOCK: [2021-11-03 Wed 15:42]--[2021-11-03 Wed 16:11] => 0:29
:END:
[2021-11-03 Wed 15:42]
**** EMAIL SSE potential bug :work:email:
:LOGBOOK:
CLOCK: [2021-11-03 Wed 15:05]--[2021-11-03 Wed 15:42] => 0:37
:END:
[2021-11-03 Wed 15:05]
Hi Yann,
We noticed that we have two tenants created in SSE APJ stack for the AMP
company ID (51ab0c3e-381b-4169-ab63-b031c685f441).
One of them with spID AMP-APJ (created on 2020-12-01 11:58:50 UTC) and the
other with spID SXSO (created on 2021-08-24 09:25:07 UTC).
I see from the logs the user ID token that came to Anubis had “SXSO”
instead on AMP-APJ resulting in this state.
Wondering what caused the spID to change in the ID token from AMP-APJ to
SXSO on 2021-08-24 ?
Could there be a possible issue here ?
#+begin_src
TX_LOG 192.168.25.199 [2021-08-24T09:25:07Z] GET /scim/v2/Organizations?filter=spId+eq+SXSO+and+orgInfo.companyId+eq+51ab0c3e-381b-4169-ab63-b031c685f441 200 774 0.0076 aba74caa-ba90-43d3-b1d2-7066750a6754 -
#+end_src
**** IN-PROGRESS GH notif tour :work:
:LOGBOOK:
CLOCK: [2021-11-03 Wed 14:38]--[2021-11-03 Wed 15:05] => 0:27
:END:
[2021-11-03 Wed 14:38]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-03 Wednesday][2021-11-03 Wednesday]]
**** CHAT Discussion Guillaume :work:chat:
:LOGBOOK:
CLOCK: [2021-11-03 Wed 10:00]--[2021-11-03 Wed 12:03] => 2:03
:END:
[2021-11-03 Wed 10:00]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*OIDC conf in Okta][OIDC conf in Okta]]
**** EMAIL OIDC conf in Okta :work:email:
:LOGBOOK:
CLOCK: [2021-11-03 Wed 09:59]--[2021-11-03 Wed 10:00] => 0:01
:END:
[2021-11-03 Wed 09:59]
**** CHAT webex tour :work:chat:
:LOGBOOK:
CLOCK: [2021-11-03 Wed 08:28]--[2021-11-03 Wed 09:59] => 1:31
:END:
[2021-11-03 Wed 09:58]
<<<<<<< HEAD
*** 2021-11-04 Thursday
**** MEETING Weekly meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-04 Thu 17:00]--[2021-11-05 Fri 09:09] => 16:09
:END:
[2021-11-04 Thu 17:00]
- ref ::
***** Agenda (to discuss about)
Make a tour of everyone work.
***** Notes
Welcome
Me. ... (see tracker .org) + git weekly
Olivier. PR for oauth2-client-demo, waiting for review
Matt. logs for proxy
- auditability of the proxy; kibana dashboard
Mark. SSE passthrough, and AO
***** Actions
- review Olivier's PR
**** IN-PROGRESS Continu code cleanup :work:
:LOGBOOK:
CLOCK: [2021-11-04 Thu 15:40]--[2021-11-04 Thu 17:00] => 1:20
:END:
[2021-11-04 Thu 15:40]
- ref :: [[orgit:~/dev/iroh/][~/dev/iroh/ (magit-status)]]
**** IN-PROGRESS update Secure Endpoint client :work:
:LOGBOOK:
CLOCK: [2021-11-04 Thu 15:38]--[2021-11-04 Thu 15:40] => 0:02
:END:
[2021-11-04 Thu 15:38]
- ref :: [[orgit:~/dev/iroh/][~/dev/iroh/ (magit-status)]]
Secure Endpoint (or AMP for Endpoint)
=client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06=
**** MEETING Weekly Sync: SecureX / Secure Endpoint :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-04 Thu 15:00]--[2021-11-04 Thu 15:38] => 0:38
:END:
[2021-11-04 Thu 15:08]
- ref :: https://cisco.webex.com/cisco/j.php?MTID=m0a5157ed81ded94305da1bae743352fc
***** Agenda (to discuss about)
***** Notes
10-Nov:
- AC6: on/off configuration within Secure Endpoint UI
1-click module setup 8/9-Dec.
- retention of module ID and secureX org id in SE
- update of legacy module upon integration
***** Actions
**** IN-PROGRESS code :work:
:LOGBOOK:
CLOCK: [2021-11-04 Thu 13:51]--[2021-11-04 Thu 15:00] => 1:09
CLOCK: [2021-11-04 Thu 09:51]--[2021-11-04 Thu 12:07] => 2:16
:END:
[2021-11-04 Thu 09:51]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-04 Thursday][2021-11-04 Thursday]]
**** CHAT Webex chat tour :work:chat:
:LOGBOOK:
CLOCK: [2021-11-04 Thu 09:20]--[2021-11-04 Thu 09:51] => 0:31
:END:
[2021-11-04 Thu 09:50]
*** 2021-11-05 Friday
**** MEETING SecureX Registration :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-05 Fri 15:34]--[2021-11-05 Fri 16:34] => 1:00
:END:
[2021-11-05 Fri 15:33]
- ref :: https://github.com/threatgrid/response/issues/821
***** Agenda (to discuss about)
- Discuss feature
- Find a date
***** Notes
... bad org creation
1. User has SXSO account don't have invitation
Only show them active invitations.
If too many invitations in the DB.
2. second workflow, check email domain
if matches other orgs, present the orgs + asks for invitation
3. Limit access from "public" email domain
***** Actions
**** IN-PROGRESS tour :work:
:LOGBOOK:
CLOCK: [2021-11-05 Fri 11:09]--[2021-11-05 Fri 15:34] => 4:25
:END:
[2021-11-05 Fri 11:09]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Code][Code]]
**** DONE Code :work:
:LOGBOOK:
CLOCK: [2021-11-05 Fri 09:50]--[2021-11-05 Fri 11:09] => 1:19
:END:
[2021-11-05 Fri 11:08]
**** EMAIL Help John doing a cron :work:email:
:LOGBOOK:
CLOCK: [2021-11-05 Fri 09:09]--[2021-11-05 Fri 09:50] => 0:41
:END:
[2021-11-05 Fri 09:09]
- ref :: mail: How can I query an IROH endpoint programatically?
#+begin_quote
On 4 Nov 2021, at 22:23, John Jardine (johjardi) <johjardi@cisco.com> wrote:
Hi,
To support iroh-incident scaling based on a queue-depth metric ( Tenzin Issue 1553 ) I am thinking about creating a task that will be run every N minutes to query the endpoint. To do this the task would have to authenticate and I dont know how to do that for an automated tool. Not sure if the route makes a difference, the metrics are available here: /iroh/admin/queue/status-report/incidents
Can you give me any guidance or point me to any docs on how to do this?
Thanks,
John J.
#+end_quote
John,
The endpoint will not be =/iroh/admin/…= but =/admin/…= which mean it is only
reachable via the VPN, but I guess you will make the request from the
internal network.
So you should be able to reach https://iroh-adm.int.iroh.site/admin/
directly.
In order to make a call you need an OAuth2 client with the following scope:
=iroh-master/queue/incidents:read=
I created one client per environment for you;
- INT (client-79d54f25-2a71-4bcb-b057-001f53091b2f)
- TEST (client-c1a00641-45e0-4090-b80e-ce87b35a84b3)
- PROD NAM (client-22b0f44f-3d7e-4b14-a11b-5cfa35f86b83)
- PROD EU (client-b56530b0-b16c-40b2-bb77-850e32e06e8b)
- PROD APJC (client-502fb0a3-605c-4b1b-b91d-07980d5a1f2f)
I used the same password for all of them.
***** Password
The password is here:
-----BEGIN PGP MESSAGE-----
hQIMA2UoHNQCOfATARAAsDn3KJpJprlK60eUi2C4ol/2B5iCpIud6oYkeAB09yGe
Wt8ditdZdLKt+EV+Jw8QB6O+WDKl2+fN0IZGVzmzSehf6+ittlNUdeX2qJxx6RoE
Btw2VdcZIj9gzFxYf9Y9rf/9Zpp0Yc/NRBK9kKAwnPbMO0lytHUsWKTA8OcfBawZ
mOzcnhOpZeUxneEn1LKbiBSMfGsWQnPnUfme8vSwrnP3vOrgSio5rL3LwLsIz4Bq
z7yFdq8HBiF6z7NfJaxJZBljO/YDmYfjnwq024s24E+Fn9Bsdra85h1smGj+QIVE
hVIvU8fU6s8MpWuvQVNBFQXoF5IqxfaH4Z0p8as0X3qSmd4f8x3P/XdmklGAzUQ9
Za5SDn1mkJJvVK6jCRC8uf+M8nufZU/ORcFqu6eVc9WWgDJYIc93vyNMWKBnCoYl
6GMC/IpKtveWUBaa28V76sSjjunv9gNHmYNGjwoLqd7lCLKppoQtPNwVFmHKJ16o
iW0rVYoIypleOuevkEn3barYy1N6wxhZrFcHOqUMWH+kZnPjDHcTOQxCEyYDVULw
uQclzZinR1vF4PeLIdFn74n2npXjFkCkaZa0ev10QROo1Tk4O+uv+5vAFVjsm5Fh
RT3eXVGu87qnDu67fWTQjV2F7tLvYAAYdb47N9OyQjQoglPYdvqfoRFufL7oNluF
AgwDfS7loNnfM+IBEACVwXlc001cWQw9f8AV37sySKWyhB9N4SG175lu7+T9DtwH
/WDEgYERv9Fhcg7EwVclSFwUreg/PmY8cazIc1Sy6Z+Nv2TH4rp17jcy7zlZCZMT
/twmW2MvgXS42qnb7jcvb3jQ9YTJs6fHV+PCMEsfjYKq+aSGr/ton/zFGqPIcLtF
G3vZ62cyoxYebSNwXMkB9W+2t30Cg0xpTwas+3V7dkscB+sIU+KIoTsD2AqMfgyW
Cia/U8H22qZiz8ugeod/gdsZytj4e5k72Yo2fm6owpHi4i+V/p333QbbP1G1/bzo
nfUh7wT4jiApUbrJIDWebsJqi9bv3z8zLiy72BRATgRM2vd3b1Q0y83/PcC+XkT2
l3/GRRScqM9ewVziol/BzSH1jBj6oA/3VJil8YEZsNhGhX15Bs9ZLwAy2HLSzJ8G
8nVxNk6P0RRhD9m+Ue4Zb5PsH7CG21WOZTGWn/I9UXCHl7LnO4yT+qfESNDDzodF
F7Zo7E5yheTLRsXxp1f4c5cGoZvgDU293s/U3DhZt5Y6z5vN3L/IDkBap2X6OWkp
/HfIy3L0rvKwoYn3w8x+uCO0DpzUuZnjLpdarPhTWkiVj8uQkU80t3snHpvlwjEv
Hzcuzz2XkDWwzlaJEUuUJ1+my6a41fDHdNHYqSryrVLkpMLxwz1PqNi3NomhG9Lp
ARM67Ggjb520Cf5pmyj5cBZK57FMPwN2H/blT5GRcjFyfzl7H7Y+Fq9etcnZMIv+
mJAFpqCoHasnEQKL5D4huxQDEsXqLvxO3/u79GU1w0AQgqg7KJLP6b3DRWAWI/Kl
7MK95j5EPrrvl69AErdCOH+Pfqvzi1CDb4Zy2lKuMGGQRgqyLubIIdZQkzX6YLD+
xuxxyiQ+P2imToe1KGGX39AFbdXuakqBgKiSLEU7MWwEAEd/LfDuuGV+aiJ83SZI
ZWZGSe5ThdAsdWoHYcCtFgynhd+QnN5hW//ODNU8IeIPhjZRUxe2CQbAEQgfUXif
vHn+JfcSo1pf7BcOnzTOlgTqFn6NmX/SYlAL1kpG2YwcJFK3ZRK2a/0db3DbeLXp
2Nk40WD1tOdt8FDZHOXYRXFhmV6K/nEf56g7XMHnaESeEsQtzFvIq+SSxx0IkS+h
gaoAO+Mz9SKoxWcabTBHimhDxqemmtDbTdk7iHQZZhmei0DJxSdxWzwj9nYeKggK
aBxof2wuZAnki3nTlpy+p6S2S/TxP3wSZ9wMkBNkYRzWpTD5+fEqOhHtLgtyp2/M
a6YrH4b1uvk86Sz4Uk18ZuvdgoVMx5UjUnmfRxEWNrZEhatr+y4nH1PPCVsVPvXO
N3AyHCJWYGwUe+AXNegKJ8QJr/a+T2U/rVCujVoCUBGqebtm5L0RV9+1xCWmyeog
wuGXF5duRcdMNr+dAHvrdUhQIyBm4cFWYHM97lP0HkOcOM+wJjSDmT5VorCW952g
LPANVlddb4vO1TXvwjw7+yZFcpYH9pZtIC1Wp5a+UMvPewoPY2xZfh1ZsVJxUqp9
FNHFEvRJuZzq80MIGY9s1rXrKiuAWJDGqEN8rlObuwNFrFfrDLDUgEhply/3Qcvi
n73Ag7cleOs7yF4=
=iyzN
-----END PGP MESSAGE-----
***** How to use
I made a demo shell script for INT:
#+begin_src bash
#!/usr/bin/env bash
CLIENT_ID="client-79d54f25-2a71-4bcb-b057-001f53091b2f"
CLIENT_SECRET="..."
ACCESS_TOKEN=$(curl -s -X POST "https://visibility.int.iroh.site/iroh/oauth2/token" -d "grant_type=client_credentials" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -u "$CLIENT_ID:$PASSWORD"|jq '.access_token'|sed 's/"//g')
curl -X GET "https://iroh-adm.int.iroh.site/admin/queue/status-report/incidents" -H "accept: application/json" -H "Authorization: Bearer $ACCESS_TOKEN"
#+end_src
returns
#+begin_src bash
./demo.sh
[{"queue-name":"incident-sessions","total-sessions":0,"total-processing-sessions":0,"total-pending-sessions":0,"factor-increase-needed":0}]
#+end_src
What this does is:
1. retrieve an access token with the client (client-id + client-password)
2. Call the =/admin/queue/status-report/incidents= route
An important remark; notice the domain name is different between the admin
and non admin calls. For INT and TEST, you just need to replace
visibility by iroh-adm.
But in prod, you need to use a completely different URL.
Here is a JSON where I store the relations:
#+begin_src js
{"envs": [{"name":"INT",
"visurl":"int.iroh.site",
"internalurl":"int.iroh.site"},
{"name":"TEST",
"visurl":"test.iroh.site",
"internalurl":"test.iroh.site"},
{"name":"NAM",
"visurl":"amp.cisco.com",
"internalurl":"us-east-1.prod.iroh.site"},
{"name":"EU",
"visurl":"eu.amp.cisco.com",
"internalurl":"eu-west-1.prod.iroh.site"},
{"name":"APJC",
"visurl":"apjc.amp.cisco.com",
"internalurl":"ap-northeast-1.prod.iroh.site"}]}
#+end_src
Happy hacking!
Yann.
***** Details
-----BEGIN PGP MESSAGE-----
hQIMA30u5aDZ3zPiARAAqfa80rkkVQy2HpHd1tOZZ1NZaaSMwrWRQKXTfkD6fYpl
HSOfyK9+9lKBV9Uz0H+l5DclDuenJ4akAMyaF5hhr7NfPZQ9exmnkODLDnpDTLoD
adm7ArrQnowJHvMEH4ogxoWN902Q9d2apOnrHYr5JmvEc0rwv1dQ2IuJeOLEpZ33
IYqP/rnOlhPZZd7lgyHGw2iRDU3XZfkyivPQtsWZqY6XWIoL2wNj/HlomtrcPLYj
RxErXBOMS8GRr5FYeDyp+aGo3IpYMMMFffGCqew8yvphDhRYiO2SrQtTIp2+207j
V7/FSp3dp9xhsLsOM4fzFuCe9UctjbZma9QngkRjUSDU7D0rXGoKydecau4TlBy7
ZPDOlg+6JWbwXM6qXJNaYAJ6Ii3E2xGYdpBMWBRn/j9RzkS68wKeoQelySV3aDSi
y00bbq/dq1Qh+tqyi7X8wj5tGf21Ri/Yd9D6DGWVTNvt0sj9CB55v3UfgZn5gcIy
2Njdb96pO+7VGgspPf6JnwJdCFq97O9cLFK985uJpmGrYvjN5qMA2z6PewdL9PW/
bPNCXMcfwwbJxqZKcfqoJUcRAQyatPDKvPgHXDgmgRtI3oMjwhWBDl5nmYgwjSDO
uiKHNxMNGO2BMFWnJ3Qi1OTjG98+nWwmGoF6VlyzxAZtIjr2sGLrrbogreEA4XrS
6QGqDwPhIf2GA0blOoiMKDVUxstru6kiQSOL0EmlWWDgCYamUGgiWUy5nZiveRDT
JUdHsgLzIBrDElaZfxOim10PO0AkQgplMqSGfWI7LQ3fEPiIuXQFhXZBmBu+DC7C
j7+QOu6DlhyPNVL0QiI4OeucizSWamcHYKL1IVC05XYm0FITf4oKiLfiFj/upleI
736qOe9x4bsrS5ZUQmdmpCkv3Q0Yde3ATXOHxxspgOlJ55CCXRTM8J4Fcgwf38/O
zM7L9Ly/H+0g52PCsyQRMmfYigVVJf14cjcyuBEN2rie32qs91ajiuIZpG3ECRJ0
R2y4nnCKM+G8oM+23pgIWdX0ei6RAFnGANRcM7It/Ni21YcafxgkzLFJ6clMELi5
vIzy9oAG85BK7Kwo/dxe3r3wQPC8cEmt9vRdR8v5rShYp0YTX5rJXZ4Kq2U6pGVo
msxo/LQhvWsMZ2UPRIsDcyIHL36LRxdy/h7hkr6BJK2o1YwSwK0e6r4KbYlfyaij
SiBDjuxwBFFkjAbnd8LoK0JDoEid9Eg7VXoFnDgq3X3Vr/yLRjA5yLkVgDuFdhgP
zJ3k1ly4NVQTQuTalNcXY7JXV/yhP+EaxxJ09rudW0192O4EIAo8IXyPYxWmELqa
yrnulQ7+g2l3DCS+ZrWBSRDFOJZSaWIPaU0xr2jXafy1wMqreDPE+YFQ2cnvt1J7
RLdarjU7hh5vkmpxiaezi91+YFC8b+8JAb58f7MndaZfyTYK4ww+pjSOLwIg2EgE
j9xuQRu5dy9xOKLL0jj3EBYrtH9eoGTtjrC3ycm0tIQTY4BJgGQ66KjsFfSzJ6gM
FHONJHlcaIeEWsnMMKm42A15jZG0AjH1LUbnEc6KOHzwySQ28IjJvDKY2kU3Wt6R
KoxbIox8fBvD8QunG+creFmYqG1IgFIodF9QgEdleRLJCKhB95HCCm3/qdSn1362
6LyIClb09bNImrPo974yrZ/hnel8MNXPQyQJSCtqOUUI8JhRBKi0IGi07+TVIeqi
5yakl8HSxnkbT0n6KLa0ZGOKFD5d0qXjwl1s6hnI4JTKCGDOyjHptVpjxsKT08jO
1lzutH67duk6Z38Qr1fpv9iAgSCsnfgLaKC/0jbIsPsOXTpvODiHK+liAbQiqUnn
XqRbQ2x4MavIy50zutVPduNgj72IUYvGfx1WO+mKt1uymx5DXidYoLAdCIru
=4Qus
-----END PGP MESSAGE-----
=======
>>>>>>> e714315a8c096570b2629793969eec54e9fe2450
** 2021-W45
*** 2021-11-08 Monday
**** EMAIL inscription BAC Anna :work:email:
[2021-11-08 Mon 12:22]
- ref ::
** 2021-W46
*** 2021-11-17 Wednesday
**** MEETING Weekly meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-17 Wed 17:30]--[2021-11-17 Wed 18:19] => 0:49
:END:
[2021-11-17 Wed 17:30]
- ref ::
**** MEETING Weekly :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-17 Wed 17:05]--[2021-11-17 Wed 17:06] => 0:01
:END:
[2021-11-17 Wed 17:05]
- ref ::
*** 2021-11-18 Thursday
**** MEETING Alan Interview :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-18 Thu 16:29]--[2021-11-19 Fri 14:14] => 21:45
:END:
[2021-11-18 Thu 16:29]
- ref ::
***** Agenda (to discuss about)
***** Notes
***** Actions
**** CHAT Small text about the breaking PR :work:chat:
:LOGBOOK:
CLOCK: [2021-11-18 Thu 11:42]--[2021-11-18 Thu 16:29] => 4:47
:END:
[2021-11-18 Thu 11:42]
Good morning everyone!
I wanted to drop a word about this PR: https://github.com/advthreat/iroh/pull/5998
An interesting aspect of this PR was that a change (that first appeared to be minor)
in some namespace impacted a failure in a ns that did not depend
transitively of the first.
I wanted to improve our build time by filtering the test by dependent ns only.
It would have missed this build failure.
So I still think this is a good idea to have an optimized test for
branches, but the merge into master should run all the tests.
**** MEETING Alan Interview :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-18 Thu 09:56]--[2021-11-18 Thu 11:42] => 1:46
:END:
[2021-11-18 Thu 09:56]
- ref ::
***** Agenda (to discuss about)
- in tupelo, why name it =glue= instead of =mconcat=?
- Why =unwrap= and not =flatten=?
***** Notes
***** Actions
*** 2021-11-19 Friday
**** MEETING Monthly Engineering Meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-19 Fri 17:02]--[2021-11-19 Fri 18:26] => 1:24
:END:
[2021-11-19 Fri 17:02]
- ref ::
.
***** Updates
***** Release Status
- Issue with GlaDoS deployment, 1.86 done yesterday.
- Issue with AO, pb with cross-launch.
***** Services
- High Impact Incident
- Background support for DI
- Added auditability API gateway
Will focus on replicating/synchronize across the product of incidents.
** 2021-W47
*** 2021-11-23 Tuesday
**** MEETING DI Secure Client weekly PO meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-23 Tue 16:08]--[2021-11-23 Tue 18:37] => 2:29
:END:
[2021-11-23 Tue 16:08]
- ref ::
***** Actions
- [ ] Apparently some clients scopes and authorization to do.
** 2021-W48
*** 2021-11-30 Tuesday
**** MEETING Simplify login page :work:meeting:
:LOGBOOK:
CLOCK: [2021-11-30 Tue 16:01]--[2021-12-02 Thu 14:55] => 46:54
:END:
[2021-11-30 Tue 16:01]
https://github.com/advthreat/GLaDOS/issues/2555
*** 2021-12-02 Thursday
**** MEETING Weekly IROH-Service Team meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-12-02 Thu 17:04]--[2021-12-02 Thu 18:01] => 0:57
:END:
[2021-12-02 Thu 17:04]
@Mark most special people are leaving.
@Jyoti about Al. Come as a surprise and a chock.
Certain there were politic about it.
Start with UI & UX.
Must not be done in silos.
I has to be implementable.
@Mark
I feel that with AO with should have blame post-mortem.
Never run all the way in TEST.
They never talk to us about it.
Discussion about QA
@Mark
Possible QA tested it and was never informed something will change.
A retro for AO integration.
***** Notes
- Working on the refresh token DB (token grants)
- Regarding the registering simplification I will need the work done by Olivier
To search users by domain name email.
- We will need a pass of technical design. We will need another entities
about requested invitations. And yet another flow to integrate an
existing SecureX org.
**** MEETING SecureX / Secure Endpoint Alignment :work:meeting:
:LOGBOOK:
CLOCK: [2021-12-02 Thu 16:04]--[2021-12-02 Thu 17:04] => 1:00
:END:
[2021-12-02 Thu 15:59]
***** Actions
Create a queue of requested invites.
Admin can approve the request, the user is added to the org.
A confirmation email is sent.
** 2021-W49
*** 2021-12-09 Thursday
**** MEETING Weekly Team Meeting :work:meeting:
:LOGBOOK:
CLOCK: [2021-12-09 Thu 17:18]--[2021-12-09 Thu 18:16] => 0:58
:END:
[2021-12-09 Thu 17:18]
- ref ::
.
***** Project Board
****** Enrich API Enhancement
Discussion
****** Webhooks
****** Hiring
no professionnal experience in Clojure
***** Remarks
IDB Decommission.
Meeting with Geetha next week.
How can I do that?
***** Actions
IDB Decommission test Monday
** 2021-W50
*** 2021-12-13 Monday
**** MEETING OIDC AO :work:meeting:
:LOGBOOK:
CLOCK: [2021-12-13 Mon 17:02]--[2021-12-13 Mon 18:33] => 1:31
:END:
[2021-12-13 Mon 17:02]
- ref ::
April Ping fed expires.
Is that still possible?
Also no expertise.
We had some action items. Where do we stand?
Are we confident?
Priority across the teams.
TG and CSA.
Just CSA and TG IdP.
***** Action
Continue test results after Holidays.
- Test CSA
- Test TG (direct OIDC)
Sync up after shutdown.
If success talk to QA to prepare tests.
*** 2021-12-15 Wednesday
**** MEETING Estimate New Registration Workflow :work:meeting:
:LOGBOOK:
CLOCK: [2021-12-15 Wed 16:29]--[2021-12-15 Wed 19:55] => 3:26
:END:
[2021-12-15 Wed 16:29]
- ref :: https://github.com/advthreat/iroh/issues/6076
***** Prevent User to login with public email page
Should propose the user to login via another account (so use logout).
Need templates.
@Jilian will do the templates.
***** Add an allow-list to pass throught the blocklist (@gmail,,,)
1.89 Feb 2.
**** MEETING IDB Decomissioning :work:meeting:
:LOGBOOK:
CLOCK: [2021-12-15 Wed 15:59]--[2021-12-15 Wed 16:29] => 0:30
:END:
[2021-12-15 Wed 15:59]
- ref ::
***** Agenda (to discuss about)
***** Notes
***** Actions
** 2021-W51
*** 2021-12-21 Tuesday
**** CHAT Dar about using UI Components in the login pages :work:chat:
:LOGBOOK:
CLOCK: [2021-12-21 Tue 10:20]
:END:
[2021-12-21 Tue 10:20]
#+begin_quote
@Dar
Hey Yann, a question came up in our weekly sync about the login flows…
now that they're getting a bit more sophisticated wouldn't it be better to
start using common UI components rather than taking snapshots/hard-copies
of styles and generating one-off templates?
what are the security concerns around client-side rendering the auth UI?
#+end_quote
Hi Dar,
So to answer the question historically.
First, we didn't have any login page.
It was 100% hosted in CTR UI.
I just provided the route to create the login links (and this could still
be used today and it is in the new login page).
We faced many bugs (most of them related to URL encoding), and thus decided
to close the gap by building an hosted login page.
That way I can 100% control the behavior and have lot of tests to check url
encoding related bugs.
Do not forget that in CTR you often want to deal with URL with very complex
URL fragments that contain a representation of the investigation, imagine
text with carriage return, URL, emails, etc…
Even recently we experienced subtle bugs. And the solution was to get rid
as much as possible of the javascript code that handled the url parsing and building.
Now, this is handled via the backend on the login page.
So the 1st reason to host the login page was convenience and bug fixing and
not necessarily security.
Regarding security, I was afraid to introduce a security bug because, the
login page is clearly a nice entry point for security attack.
So I tried to be as conservative as possible.
So no js when possible.
And if we need to use js, do not use any lib, just basic javascript so the
code is easy to understand and debug.
There is another complexity to keep in mind.
For historical reason, for now, there is no "session" when the user has
logged in via the IdP but hasn't yet selected a user and thus is not logged
in SecureX.
Right now, we handle this state with a token in the URLs.
And this token can be consumed only once.
Reference in a new issue View git blame Copy permalink