1717 lines
66 KiB
Org Mode
1717 lines
66 KiB
Org Mode
# Created 2021-12-21 Tue 12:02
|
||
#+title:
|
||
#+author: Yann Esposito
|
||
* 2021
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W03.org][2021-W03]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W04.org][2021-W04]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W05.org][2021-W05]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W06.org][2021-W06]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W07.org][2021-W07]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W08.org][2021-W08]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W09.org][2021-W09]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W10.org][2021-W10]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W11.org][2021-W11]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W12.org][2021-W12]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W13.org][2021-W13]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W14.org][2021-W14]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W15.org][2021-W15]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W16.org][2021-W16]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W17.org][2021-W17]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W18.org][2021-W18]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W19.org][2021-W19]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W20.org][2021-W20]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W21.org][2021-W21]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W22.org][2021-W22]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W23.org][2021-W23]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W24.org][2021-W24]]
|
||
** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W25.org][2021-W25]]
|
||
** 2021-W33
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 1: Clock summary at [2021-10-28 Thu 18:16]
|
||
| Tags | Headline | Time | | | |
|
||
|---------------+----------------------------------------------+--------+------+------+------|
|
||
| | *Total time* | *6:19* | | | |
|
||
|---------------+----------------------------------------------+--------+------+------+------|
|
||
| | \_ 2021-W33 | | 6:19 | | |
|
||
| | \_ 2021-08-16 Monday | | | 1:52 | |
|
||
| work | \_ Fix Carlos Hidalgo account | | | | 0:20 |
|
||
| work | \_ create an issue about email... | | | | 1:32 |
|
||
| | \_ 2021-08-17 Tuesday | | | 2:48 | |
|
||
| work | \_ Add scope to TG clients | | | | 0:38 |
|
||
| work | \_ Write an issue about 1-click... | | | | 2:03 |
|
||
| work, chat | \_ Jyoti about CDO 1-click module setup | | | | 0:07 |
|
||
| | \_ 2021-08-19 Thursday | | | 1:39 | |
|
||
| work, meeting | \_ Interview Olivier Barbeau | | | | 1:39 |
|
||
#+end:
|
||
|
||
*** 2021-08-16 Monday
|
||
**** DONE Fix Carlos Hidalgo account :work:
|
||
[2021-08-16 Mon 15:11]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*create an issue about email search case sensitivity][create an issue about email search case sensitivity]]
|
||
**** DONE create an issue about email search case sensitivity :work:
|
||
[2021-08-16 Mon 15:03]
|
||
- ref :: https://github.com/threatgrid/response/issues/818
|
||
|
||
***** Fix email case sensitivity
|
||
|
||
> Related https://github.com/threatgrid/response/issues/818
|
||
|
||
We often need to search by email. The main issue being that, currently our
|
||
search mechanism does not support case insensitive matches.
|
||
|
||
We have 4 possible solutions:
|
||
|
||
1. Lower case the user email at creation. We need to also update the user
|
||
emails in our DB. The safest route to achieve this will be via the
|
||
iroh-migration service.
|
||
2. Keep the email case sensitive and add a new case insensitive field =lc-user-email=
|
||
for example. But same as for case 1, we need to perform a DB migration to
|
||
add this new field to all existing user in DB.
|
||
3. Add support for case insensitive search in tk-store, perhaps with a new
|
||
tk-store service, or improving current =CRUDStoreService.=
|
||
4. Add a specific service just for search user emails that could take care
|
||
of this specific case by using a Postgres specific query. This could
|
||
also be the occasion to provide a tk-store hole in the abstraction service.
|
||
|
||
The simplest is probably option 1.
|
||
Option 2 would be slightly more complex and we would not lose any detail.
|
||
Option 3 seems the most generic one, and we could totally imagine we would
|
||
appreciate a case insensitive search support.
|
||
Option 4 looks like a specific case of 3.
|
||
|
||
My preference then goes to option 3, but we need to understand if this is
|
||
not too difficult to achieve, what would be the API? The most natural one
|
||
would probably add an option along =filter-map= like =case-insensitive-fields=.
|
||
One issue would be to write the support for case insensitive match for =atom=
|
||
and =redis=.
|
||
|
||
|
||
**** TODO Interview Steven Collins
|
||
|
||
*** 2021-08-17 Tuesday
|
||
**** DONE Add scope to TG clients :work:
|
||
[2021-08-17 Tue 17:54]
|
||
|
||
In tenzin config:
|
||
|
||
#+begin_src
|
||
- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2
|
||
- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513
|
||
- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5
|
||
- EU: a1662193-9155-44fd-aa1f-43afd42c889c
|
||
#+end_src
|
||
**** DONE Write an issue about 1-click module setup :work:
|
||
[2021-08-17 Tue 15:51]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Activation Optimization][Activation Optimization]]
|
||
**** CHAT Jyoti about CDO 1-click module setup :work:chat:
|
||
[2021-08-17 Tue 15:44]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Epics][Epics]]
|
||
|
||
*** 2021-08-19 Thursday
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp t :link t :tags t :narrow 36! :match "work"
|
||
#+caption: Table 2: Clock summary at [2021-08-19 Thu 17:43]
|
||
| Timestamp | Tags | Headline | Time | | | |
|
||
|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------|
|
||
| | | *Total time* | *1:39* | | | |
|
||
|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------|
|
||
| | | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-08-19 Thursday][2021-08-19 Thursday]] | | | 1:39 | |
|
||
| [2021-08-19 Thu 16:04] | work, meeting | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Interview Olivier Barbeau][Interview Olivier Barbeau]] | | | | 1:39 |
|
||
#+end:
|
||
|
||
**** MEETING Interview Olivier Barbeau :work:meeting:
|
||
[2021-08-19 Thu 16:04]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Self Presentation][Self Presentation]]
|
||
|
||
** 2021-W35
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 3: Clock summary at [2021-10-28 Thu 18:15]
|
||
| Tags | Headline | Time | | | |
|
||
|---------------+---------------------------+--------+------+------+------|
|
||
| | *Total time* | *2:54* | | | |
|
||
|---------------+---------------------------+--------+------+------+------|
|
||
| | \_ 2021-W35 | | 2:54 | | |
|
||
| | \_ 2021-09-02 Thursday | | | 2:54 | |
|
||
| work, meeting | \_ Weekly meeting | | | | 2:54 |
|
||
#+end:
|
||
|
||
|
||
*** 2021-09-02 Thursday
|
||
**** MEETING Weekly meeting :work:meeting:
|
||
[2021-09-02 Thu 17:06]
|
||
|
||
Guillaume start about the *Design Planning* github project.
|
||
|
||
- SecureX session
|
||
- High Impact Incident
|
||
|
||
Sorry
|
||
|
||
** 2021-W36
|
||
|
||
*** 2021-09-08 Wednesday
|
||
**** MEETING 1-click module setup weekly meeting :work:meeting:
|
||
[2021-09-08 Wed 17:30]
|
||
- ref :: https://miro.com/app/board/o9J_l57_gro=/
|
||
|
||
Miro dashboard from Chloe:
|
||
|
||
https://miro.com/app/board/o9J_l57_gro=/
|
||
|
||
|
||
Discussion:
|
||
|
||
When to TEST, tomorrow.
|
||
Asking for client_id in TEST.
|
||
|
||
|
||
Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06
|
||
|
||
*** 2021-09-09 Thursday
|
||
**** MEETING Interview: Florin Braghis :work:meeting:
|
||
[2021-09-09 Thu 15:49]
|
||
|
||
** 2021-W37
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 4: Clock summary at [2021-10-28 Thu 18:15]
|
||
| Tags | Headline | Time | | | |
|
||
|---------------+---------------------------+---------+-------+-------+-------|
|
||
| | *Total time* | *22:11* | | | |
|
||
|---------------+---------------------------+---------+-------+-------+-------|
|
||
| | \_ 2021-W37 | | 22:11 | | |
|
||
| | \_ 2021-09-14 Tuesday | | | 1:04 | |
|
||
| work | \_ Device Grant | | | | 1:04 |
|
||
| | \_ 2021-09-16 Thursday | | | 21:07 | |
|
||
| work, meeting | \_ Team weekly | | | | 21:07 |
|
||
#+end:
|
||
|
||
|
||
*** 2021-09-14 Tuesday
|
||
**** IN-PROGRESS Device Grant :work:
|
||
[2021-09-14 Tue 19:31]
|
||
- ref ::
|
||
|
||
*** 2021-09-16 Thursday
|
||
**** MEETING Team weekly :work:meeting:
|
||
[2021-09-16 Thu 17:25]
|
||
|
||
Ambrose, Irina, Guillaume, Matt, Yann
|
||
|
||
TO MENTION: Device Grant with FMC => Public clients
|
||
|
||
***** Incident discussion
|
||
|
||
*** 2021-09-17 Friday
|
||
**** MEETING Presenting the projects :work:meeting:
|
||
[2021-09-17 Fri 14:32]
|
||
- ref :: https://github.com/advthreat/iroh/projects
|
||
.
|
||
|
||
***** Pres
|
||
|
||
****** General
|
||
|
||
******* Project Organization
|
||
|
||
Every project has an owner (main point of contact for the FT)
|
||
Now only leads, but could be anyone in the future.
|
||
|
||
****** [Design] Shared IROH Auth Session
|
||
|
||
Goal of this Project which is not an official FT is to reflect and write
|
||
proposals to reach the feeling of a shared session across all Cisco
|
||
Security products via SecureX.
|
||
|
||
- solution using cookies
|
||
- solution using Open ID Connect
|
||
.
|
||
****** [Design] High Impact Incident
|
||
|
||
/Guillaume Ereteo/ made an awesome work to provide multiple proposals to be
|
||
able to deliver the feature as fast as possible.
|
||
|
||
1. filter on source (only AMP)
|
||
2. Add severity on incident model
|
||
3. Incident with high impact via an IROH route: https://github.com/advthreat/iroh/issues/5710
|
||
- needs the proxy from Ambrose
|
||
- need sync with engine team too
|
||
|
||
****** SecureX Suite Session Improvement
|
||
|
||
Delivered yesterday in v1.81
|
||
Limit the number of interstitial pages between SecureX and CTR/SSE
|
||
|
||
- For orbital, missing the Launch button, the back end work is done as we do
|
||
not need any SXSO app link.
|
||
|
||
****** [HOLD] Cisco Secure Client Integration
|
||
|
||
Still no work to be done by the IROH Services team
|
||
|
||
****** Hiring
|
||
|
||
Since last meeting two new hires will join us in next few weeks.
|
||
Kiril and Olivier.
|
||
|
||
Kiril lives in Germany and Olivier in France.
|
||
|
||
****** 1-Click Module Setup
|
||
|
||
In progress integration by CDO and SWC
|
||
|
||
/Irina/ worked to provide the vault metadata API for SWC.
|
||
|
||
AMP is in the QA test phase.
|
||
|
||
****** ModuleType updates
|
||
|
||
Just saw the rename of "Threat Grid" into "Secure Malware Analytics"
|
||
|
||
****** [HOLD] CTIA Hydrant support
|
||
****** CTIA Incident Manager Improvement
|
||
****** Bug Squashing
|
||
|
||
- Fix a bug where a user could login to org that reject non-admin user login
|
||
- Fix a refresh token bug that would provide too much scopes to an access token
|
||
- Login Page url parsing potential discrepancy fixed
|
||
|
||
****** [HOLD] ES 7 Migration
|
||
****** Device Insights Integration
|
||
|
||
- Wanderson: Webhooks work, trigger a notification for every
|
||
module-instance configuration change.
|
||
|
||
****** AppLinks API
|
||
****** SSE API Extension & OAuth2 Device Grant
|
||
- FMC ⇒ public clients for Device Grants
|
||
****** Incident Assignment Notifications
|
||
|
||
/Ambrose/ worked to make IROH a proxy to private intel for incident
|
||
assignments notifications.
|
||
Should be delivered in v1.82
|
||
|
||
** 2021-W39
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 5: Clock summary at [2021-10-28 Thu 18:15]
|
||
| Tags | Headline | Time | | | |
|
||
|---------------+----------------------------+--------+------+------+------|
|
||
| | *Total time* | *6:30* | | | |
|
||
|---------------+----------------------------+--------+------+------+------|
|
||
| | \_ 2021-W39 | | 6:30 | | |
|
||
| | \_ 2021-09-29 Wednesday | | | 3:18 | |
|
||
| work, meeting | \_ Interview | | | | 3:18 |
|
||
| | \_ 2021-10-01 Friday | | | 3:12 | |
|
||
| work, meeting | \_ App Links | | | | 1:41 |
|
||
| work, meeting | \_ Secure Client | | | | 1:31 |
|
||
#+end:
|
||
|
||
|
||
*** 2021-09-29 Wednesday
|
||
**** MEETING Interview :work:meeting:
|
||
[2021-09-29 Wed 16:12]
|
||
- ref :: [[file:~/dev/ring-jwt-middleware/src/ring_jwt_middleware/core.clj::jwt-check-fn (s/=> s/Any s/Str JwtClaims)]]
|
||
|
||
*** 2021-10-01 Friday
|
||
**** MEETING App Links :work:meeting:
|
||
[2021-10-01 Fri 17:26]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
|
||
**** MEETING Secure Client :work:meeting:
|
||
[2021-10-01 Fri 15:55]
|
||
|
||
Meeting link:
|
||
https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e
|
||
|
||
** 2021-W40
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 6: Clock summary at [2021-10-28 Thu 18:15]
|
||
| Tags | Headline | Time | | | |
|
||
|---------------+-----------------------------------------+---------+-------+-------+-------|
|
||
| | *Total time* | *38:18* | | | |
|
||
|---------------+-----------------------------------------+---------+-------+-------+-------|
|
||
| | \_ 2021-W40 | | 38:18 | | |
|
||
| | \_ 2021-10-05 Tuesday | | | 0:46 | |
|
||
| work | \_ Training Interviewing | | | | 0:46 |
|
||
| | \_ 2021-10-07 Thursday | | | 32:04 | |
|
||
| work, meeting | \_ DI blockers | | | | 23:32 |
|
||
| work | \_ support | | | | 1:16 |
|
||
| work, chat | \_ check continu | | | | 6:38 |
|
||
| work, chat | \_ support DI JWT signature | | | | 0:19 |
|
||
| work, support | \_ client update via admin for CMD | | | | 0:18 |
|
||
| work, chat | \_ Check webex matinal. | | | | 0:01 |
|
||
| | \_ 2021-10-08 Friday | | | 5:28 | |
|
||
| work, meeting | \_ IDB decomissioning | | | | 2:28 |
|
||
| work, meeting | \_ Customer Manager | | | | 3:00 |
|
||
#+end:
|
||
|
||
|
||
*** 2021-10-05 Tuesday
|
||
**** MEETING DI weekly :work:meeting:
|
||
[2021-10-05 Tue 15:30]
|
||
|
||
#+begin_quote
|
||
From Yuri
|
||
|
||
Hi,
|
||
Things I’d like to discuss on our today sync meeting:
|
||
1. The integration modules screen:
|
||
1. When will all the modules be updated with the relevant text?
|
||
2. When will all the modules be deployed to production?
|
||
3. Same goes for the DI module? Need help in updating its text and taking it to production as well
|
||
4. The filter by capability for device insights currently shows an empty result in production
|
||
2. Integration code
|
||
1. Is there still some integration code that is pending?
|
||
2. What is the status of https://github.com/advthreat/iroh/issues/5680?
|
||
ii. Any other open issues?
|
||
1. Any blockers that you see for deploying to production?
|
||
3. Assets API QA?
|
||
#+end_quote
|
||
|
||
1.a. doc team
|
||
1.b
|
||
|
||
2.a
|
||
|
||
**** IN-PROGRESS Training Interviewing :work:
|
||
[2021-10-05 Tue 14:44]
|
||
***** Past Perf Predict the Future
|
||
|
||
*Behaviorial questions*
|
||
|
||
- tell me about a time when...
|
||
- Where and how have you used ,,, to achieve ,,,
|
||
- Walk me through the system/process/etc...
|
||
|
||
*Behavioral questions better*
|
||
|
||
More specific to their experience, not generic.
|
||
|
||
- concise
|
||
- clear
|
||
- relevant
|
||
- practiced
|
||
- tailored to the job
|
||
|
||
***** Real Purpose of interviewing
|
||
|
||
Predict whether or not they'd be successful in our company
|
||
|
||
Evidence?
|
||
- Yes, specific examples
|
||
- Yes, demonstration
|
||
|
||
What the candidate will think about the question.
|
||
|
||
****** Clear on hiring criteria
|
||
|
||
*skills & knownledge, attributes, achievements, motivations*
|
||
|
||
targeted probing behavioral interviewing.
|
||
|
||
Go deep, specific, examples.
|
||
Ask the *how* to detect liars, lack of honesty.
|
||
|
||
- what ,,, what did you do, what was your role, etc...
|
||
Question need specific responses.
|
||
|
||
Do brainteasers work? no
|
||
Use problem solving questions; how would you do/solve/etc...?
|
||
|
||
Examples:
|
||
|
||
- role play question. ×
|
||
- problem they solved. ✓
|
||
|
||
|
||
What work-related experience(s) changed your opinion(s) on something?
|
||
|
||
****** On Question to rule them all?
|
||
|
||
Combination question.
|
||
Find combo questions.
|
||
|
||
*Probing*
|
||
|
||
*** 2021-10-07 Thursday
|
||
**** MEETING DI blockers :work:meeting:
|
||
[2021-10-07 Thu 18:01]
|
||
|
||
#+begin_quote
|
||
@Yuri:
|
||
|
||
I’ve opened the issues there, still need to set priorities.
|
||
Here is the list of the issues I’m currently aware of that are important
|
||
for the release:
|
||
|
||
1. https://github.com/advthreat/iroh/issues/5680 - didn’t open a new ticket for this one, since it already has tracking.
|
||
1. Umbrella module -
|
||
1. Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936
|
||
2. filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937
|
||
|
||
If you know of something else, please add here
|
||
|
||
@Matt:
|
||
2.a is also tracked here https://github.com/advthreat/iroh/issues/5821
|
||
#+end_quote
|
||
|
||
|
||
1. Doc discussion 30min
|
||
2. show time (Yuri share chat)
|
||
|
||
|
||
|
||
**** IN-PROGRESS support :work:
|
||
[2021-10-07 Thu 16:45]
|
||
- ref :: https://github.com/threatgrid/tenzin/issues/1530
|
||
|
||
new-org
|
||
|
||
#+begin_src js
|
||
{
|
||
"id": "00000000-0000-0000-6473-000028fbaa95",
|
||
"name": "GATE/Tier3",
|
||
"enabled?": true,
|
||
"created-at": "2021-10-07T17:00:00.000Z",
|
||
"scim-status": "activated",
|
||
"additional-scopes": [
|
||
"iroh-master:read",
|
||
"iroh-admin:read",
|
||
"iroh-master/tac",
|
||
"iroh-auth:read"]
|
||
}
|
||
#+end_src
|
||
|
||
Idp Mapping INT/TEST
|
||
|
||
#+begin_src js
|
||
{
|
||
"idp": "sxso",
|
||
"user-identity-id": "00uox5862kEG8G0CD0h7",
|
||
"enabled?": true
|
||
}
|
||
#+end_src
|
||
|
||
IdP Mapping PROD
|
||
|
||
#+begin_src js
|
||
{
|
||
"idp": "sxso",
|
||
"user-identity-id": "00u4dmbgyjnx4glS2357",
|
||
"enabled?": true
|
||
}
|
||
#+end_src
|
||
|
||
|
||
Users to invite:
|
||
|
||
|
||
#+begin_src js
|
||
|
||
[{"invitee-email":"ashakarc@cisco.com","role":"admin"},
|
||
{"invitee-email":"bmacer@cisco.com", "role":"admin"},
|
||
{"invitee-email":"caknowle@cisco.com","role":"admin"},
|
||
{"invitee-email":"cdeleanu@cisco.com","role":"admin"},
|
||
{"invitee-email":"daphgalm@cisco.com","role":"admin"},
|
||
{"invitee-email":"djanulik@cisco.com","role":"admin"},
|
||
{"invitee-email":"bmahsan@cisco.com", "role":"admin"},
|
||
{"invitee-email":"majacob2@cisco.com","role":"admin"},
|
||
{"invitee-email":"sorianto@cisco.com","role":"admin"},
|
||
{"invitee-email":"stabulic@cisco.com","role":"admin"}]
|
||
#+end_src
|
||
|
||
**** CHAT check continu :work:chat:
|
||
[2021-10-07 Thu 10:07]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*support DI JWT signature][support DI JWT signature]]
|
||
**** CHAT support DI JWT signature :work:chat:
|
||
[2021-10-07 Thu 09:45]
|
||
- ref :: https://github.com/advthreat/iroh/issues/5680
|
||
|
||
**** IN-PROGRESS client update via admin for CMD :work:support:
|
||
[2021-10-07 Thu 09:27]
|
||
- ref :: https://github.com/advthreat/iroh/issues/5827
|
||
|
||
Cisco Secure Email Cloud Mailbox
|
||
|
||
- module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396
|
||
- ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55
|
||
- module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e
|
||
- ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969
|
||
|
||
|
||
**** CHAT Check webex matinal. :work:chat:
|
||
[2021-10-07 Thu 09:26]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/journal/2021/2021-10-07.org::*09:20][09:20]]
|
||
**** PAUSE Journal :pause:
|
||
[2021-10-07 Thu 09:20]
|
||
|
||
*** 2021-10-08 Friday
|
||
**** MEETING IDB decomissioning :work:meeting:
|
||
[2021-10-08 Fri 20:33]
|
||
- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj][file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj]]
|
||
|
||
- SSE side decomission
|
||
|
||
Chander Goyal
|
||
|
||
context; SX released as a platform, SSE had a PingFed ID Broker.
|
||
Also for CSA.
|
||
|
||
We want to user IROH-Auth.
|
||
We want to use directly IROH-Auth.
|
||
|
||
CSA Migration was launched.
|
||
SSE-side done.
|
||
|
||
CSA should be completed very soon.
|
||
Let's not change PingFed.
|
||
|
||
Nov 1919 -> nobody left in PingFed at SSE.
|
||
|
||
Very limited knowledge.
|
||
The license was Cisco Wideside license.
|
||
end in 2022.
|
||
|
||
We want to duplicate PingFed.
|
||
**** MEETING Customer Manager :work:meeting:
|
||
[2021-10-08 Fri 17:33]
|
||
- ref :: ,,,
|
||
|
||
** 2021-W41
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 7: Clock summary at [2021-10-28 Thu 18:15]
|
||
| Tags | Headline | Time | | | |
|
||
|------+----------------------------------------------+--------+------+------+------|
|
||
| | *Total time* | *1:35* | | | |
|
||
|------+----------------------------------------------+--------+------+------+------|
|
||
| | \_ 2021-W41 | | 1:35 | | |
|
||
| | \_ 2021-10-14 Thursday | | | 1:35 | |
|
||
| work | \_ Write Customer Manager doc | | | | 1:10 |
|
||
| work | \_ write attack on Webhooks with JWT... | | | | 0:25 |
|
||
#+end:
|
||
|
||
|
||
*** 2021-10-14 Thursday
|
||
**** IN-PROGRESS Write Customer Manager doc :work:
|
||
[2021-10-14 Thu 15:23]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*write attack on Webhooks with JWT from emitters][write attack on Webhooks with JWT from emitters]]
|
||
**** IN-PROGRESS write attack on Webhooks with JWT from emitters :work:
|
||
[2021-10-14 Thu 14:58]
|
||
|
||
Attack using access_token/id_token from emitters and not webhook owner.
|
||
|
||
Webhooks are a generic mechanism; but here we only focus on webhook used by
|
||
internal Cisco team integration.
|
||
|
||
So the webhook mechanism should be used to push a trusted API that a
|
||
changed occurred in SecureX (typically module instance change).
|
||
|
||
The call must be authenticated by the API.
|
||
The call should also optionally contain access/refresh tokens to the
|
||
destination so the integration team could access IROH as the event's
|
||
emitter user.
|
||
|
||
The issue is that, nothing is explicitly done to prevent any user to get an
|
||
access/id token generated from the same client we use to forge the
|
||
authentication headers.
|
||
So it means, that a SecureX user from any org that could get access to its
|
||
own access token/id token (which is entirely possible, and easy to get for
|
||
DI as their client is public).
|
||
So any user could call the API endpoint to fake real webhook events, and
|
||
potentially using cross-tenancy/cross-user false events.
|
||
|
||
So to mitigate this issue, we suggest to:
|
||
|
||
1. Always use the owner of the webhook & the client of the team to build
|
||
id_tokens, (if possible not access_token).
|
||
The forged JWT should have a specific audience (this is already the case
|
||
for DI at least). The API team *MUST* check that the =sub= claim matches the
|
||
=owner-id= field of the webhook as well as verifying the JWT signature.
|
||
2. Provide the emitter tokens in the body of the HTTP call made during
|
||
webhook trigger.
|
||
|
||
|
||
- With 1, we prevent this cross-tenant/cross-user attack.
|
||
- With 2, we not only provide even more data than before but the team could
|
||
directly use the token without using the "custom route" to retrieve the
|
||
refresh token (as it is already provided in the webhook HTTP body)
|
||
|
||
** 2021-W42
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 8: Clock summary at [2021-10-28 Thu 18:15]
|
||
| Tags | Headline | Time | | | |
|
||
|-------------------+---------------------------------------------+--------+------+------+------|
|
||
| | *Total time* | *9:45* | | | |
|
||
|-------------------+---------------------------------------------+--------+------+------+------|
|
||
| | \_ 2021-W42 | | 9:45 | | |
|
||
| | \_ 2021-10-19 Tuesday | | | 6:59 | |
|
||
| work | \_ whitelist synopsis.com in TEST | | | | 6:59 |
|
||
| | \_ 2021-10-21 Thursday | | | 1:13 | |
|
||
| work, meeting | \_ Weekly IROH Service Team | | | | 0:09 |
|
||
| work, meeting | \_ FMC - Device Grant OAuth2 Flow Sync | | | | 0:24 |
|
||
| work, meeting, me | \_ Secure Client | | | | 0:40 |
|
||
| | \_ 2021-10-22 Friday | | | 1:33 | |
|
||
| work, meeting | \_ Engineering Team | | | | 1:33 |
|
||
#+end:
|
||
|
||
|
||
*** 2021-10-18 Monday
|
||
**** TODO Write Weekly todos :work:
|
||
[2021-10-18 Mon 10:56]
|
||
- ref ::
|
||
***** DONE Check Wanderson PRs/Webhooks
|
||
***** DONE Customer Manager Doc
|
||
***** DONE IROH-Auth tour
|
||
****** DONE Organize invitations for IROH-Auth tour + bugfix, etc...
|
||
***** DONE Discuss Exceptions organization
|
||
*** 2021-10-19 Tuesday
|
||
**** DONE whitelist synopsis.com in TEST :work:
|
||
[2021-10-19 Tue 09:04]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Olivier][Olivier]]
|
||
|
||
*** 2021-10-21 Thursday
|
||
**** MEETING Weekly IROH Service Team :work:meeting:
|
||
[2021-10-21 Thu 17:16]
|
||
***** Remark to tell
|
||
|
||
- Internal JWT generation, with/without client.
|
||
- Next week IROH-Auth tour probably record this.
|
||
|
||
|
||
**** MEETING FMC - Device Grant OAuth2 Flow Sync :work:meeting:
|
||
[2021-10-21 Thu 16:27]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]]
|
||
|
||
Updated Target Date.
|
||
No blocking issue or concerns.
|
||
|
||
We just finish delivering the feature.
|
||
|
||
Good to go for 7.2 release (in April).
|
||
Maybe maintenance release 7.0.2 in Feb.
|
||
|
||
**** MEETING Secure Client :work:meeting:me:
|
||
[2021-10-21 Thu 15:32]
|
||
|
||
Jyoti discuss with a document how the 1-click module setup
|
||
should work and the constraints to obey.
|
||
|
||
*** 2021-10-22 Friday
|
||
**** MEETING Engineering Team :work:meeting:
|
||
[2021-10-22 Fri 17:03]
|
||
|
||
- Working closely to finalize 1-click module setup to work.
|
||
We faced an issue in using the same client for both the ribbon and the
|
||
1-click module setup.
|
||
This not really a blocker and a fix is in the way.
|
||
|
||
** 2021-W43
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags nil :narrow 36! :match "work"
|
||
#+caption: Table 9: Clock summary at [2021-11-03 Wed 10:24]
|
||
| Headline | Time | | | |
|
||
|----------------------------------------------+---------+-------+------+------|
|
||
| *Total time* | *19:46* | | | |
|
||
|----------------------------------------------+---------+-------+------+------|
|
||
| \_ 2021-W43 | | 19:46 | | |
|
||
| \_ 2021-10-25 Monday | | | 3:29 | |
|
||
| \_ IROH-Auth Overview | | | | 3:29 |
|
||
| \_ 2021-10-26 Tuesday | | | 4:35 | |
|
||
| \_ All Hands | | | | 0:48 |
|
||
| \_ AO | | | | 0:29 |
|
||
| \_ IROH-Auth tour | | | | 3:18 |
|
||
| \_ 2021-10-27 Wednesday | | | 0:19 | |
|
||
| \_ security | | | | 0:18 |
|
||
| \_ preparation IROH Auth Tour | | | | 0:01 |
|
||
| \_ 2021-10-28 Thursday | | | 2:33 | |
|
||
| \_ Weekly Team | | | | 0:51 |
|
||
| \_ SecureX + Secure Client + DI... | | | | 0:29 |
|
||
| \_ Weekly Sync: SecureX / Secure... | | | | 0:35 |
|
||
| \_ SSE =CCO_id= | | | | 0:38 |
|
||
| \_ 2021-10-29 Friday | | | 8:50 | |
|
||
| \_ AO disucssion + generic discusssions | | | | 1:00 |
|
||
| \_ Jyoti email about PROD module on INT | | | | 0:14 |
|
||
| \_ aide Matt URL encoding | | | | 0:50 |
|
||
| \_ code gen docs | | | | 2:48 |
|
||
| \_ Customer Manager doc | | | | 2:34 |
|
||
| \_ morning tour | | | | 1:06 |
|
||
| \_ configurable default sort | | | | 0:18 |
|
||
#+end:
|
||
|
||
*** 2021-10-25 Monday
|
||
**** MEETING IROH-Auth Overview :work:meeting:
|
||
[2021-10-25 Mon 13:57]
|
||
- ref ::
|
||
|
||
|
||
- services/iroh-auth
|
||
- lib/iroh-web/{core.clj,compojure-api.clj}
|
||
-
|
||
|
||
*** 2021-10-26 Tuesday
|
||
**** MEETING All Hands :work:meeting:
|
||
**** MEETING AO :work:meeting:
|
||
[2021-10-26 Tue 17:43]
|
||
- ref ::
|
||
**** MEETING IROH-Auth tour :work:meeting:
|
||
[2021-10-26 Tue 14:25]
|
||
- ref :: [[file:~/dev/iroh/dev-resources/config.edn::}}]]
|
||
|
||
***** org-level entities (clients)
|
||
1. makes user-id/owner-id optional ×
|
||
2. hack the User service, to create a fake org-level user.
|
||
|
||
#+begin_src clojure
|
||
(get-user org-id)
|
||
|
||
=> {:user-id org-id
|
||
:org-id org-id
|
||
:role "admin"
|
||
:scopes ,,,,}
|
||
#+end_src
|
||
|
||
search for entities, you should search for the owned entities + (if you are
|
||
an admin for the admin-level entities.)
|
||
|
||
during the ~create-client~ to add the ability to create client with that
|
||
specific owner.
|
||
|
||
Fun: filter-map => list of filter-map
|
||
|
||
|
||
#+begin_src clojure
|
||
;; inside an Org
|
||
{:addtional-scopes #{"cisco/user:read"}}
|
||
;;
|
||
{:addtional-scopes
|
||
{:user #{}
|
||
:admin #{"cisco/user:read"}}}
|
||
#+end_src
|
||
|
||
****** Hidden migration
|
||
|
||
(get-org ,,,,)
|
||
|
||
****** IROH-Crud
|
||
|
||
TK-Store => provide a minimalist abstraction to Databases.
|
||
IROH-CRUD => provide CRUD-only related abstractions
|
||
search that
|
||
|
||
#+begin_src clojure
|
||
(search ,,,,)
|
||
|
||
(iroh-crud/search-with-admin
|
||
{:,,,, :user-id xxx :org-id xxx})
|
||
=> (tk-store/search {:filter-map [{:user-id xxxx ,,,}
|
||
{:user-id xxxx :org-id org-id}]
|
||
|
||
})
|
||
#+end_src
|
||
|
||
****** update entities
|
||
|
||
To decide later:
|
||
|
||
1. any admin should be allowed to update the org-level entities.
|
||
2. some specific admin only should be allowed to update the org-level
|
||
entites (use another scope maybe?)
|
||
|
||
Probably option 1.
|
||
|
||
*** 2021-10-27 Wednesday
|
||
**** MEETING security :work:meeting:
|
||
[2021-10-27 Wed 17:03]
|
||
|
||
xx
|
||
|
||
auto loop
|
||
|
||
|
||
Proxy route
|
||
|
||
**** IN-PROGRESS preparation IROH Auth Tour :work:
|
||
[2021-10-27 Wed 12:06]
|
||
|
||
- Continue on "org-level entities"
|
||
- Doc on JWT client expectations
|
||
- :load-path "" Dispatch work
|
||
- Dig if necessary
|
||
|
||
*** 2021-10-28 Thursday
|
||
**** Weekly Team :work:meeting:
|
||
[2021-10-28 Thu 17:01]
|
||
- ref ::
|
||
***** Agenda (to discuss about)
|
||
|
||
***** Notes
|
||
****** G2
|
||
ES deployed, start the migration
|
||
Old tenzin config pull-request I need to update.
|
||
|
||
Ag moving to the last step to set the default fields, which are required
|
||
for ES7.
|
||
|
||
Production Bug in CTIA investigate module
|
||
|
||
Fixed the pagination.
|
||
default search was not consistent.
|
||
PR on CTIA.
|
||
Made this default search configurable per store.
|
||
|
||
Ag, PR for the enrichment?
|
||
|
||
Ambrose, ops related.
|
||
|
||
@Jyoti discussion
|
||
****** Matt Integration
|
||
|
||
- DI Irina working adding new auth in the module
|
||
- Yann fixed a security issue affecting Umbrella
|
||
- 1-click setup started to work on the org activation
|
||
- Mark work on SSE
|
||
- former_title field (rebranding guidelines)
|
||
- working on a bug in Umbrella, source URL are wrong
|
||
- log all proxy requests
|
||
|
||
****** Auth
|
||
|
||
Y
|
||
|
||
(personal)
|
||
- IROH-Auth tour
|
||
- minor fix
|
||
- clean up SAML
|
||
- security bug fix
|
||
|
||
*IROH-Auth*
|
||
|
||
1. take a task
|
||
2. write PR doc
|
||
3. review PR doc
|
||
4. optional IROH-Auth tour webex(es)
|
||
5. code
|
||
|
||
Q2:
|
||
- region switching API
|
||
- account switching inside each region
|
||
Q3:
|
||
- org-level entities
|
||
|
||
*Big hidden work*
|
||
Working on OAuth2 bug.
|
||
A bit big PR, because will need a new service to store refresh tokens and
|
||
their metas.
|
||
And we should be able to migrate/update clients.
|
||
|
||
*Security Bug Fix*
|
||
Chris Duane was happy, it was the first declared bug by Jimmy Miller.
|
||
|
||
Olivier working on providing the API for the privacy team.
|
||
|
||
Not 100% fixed, still a problem with paths.
|
||
|
||
*AO migration to OIDC*
|
||
****** Jyoti
|
||
Questions about JWT used by DI, that call Orbital on behalf on someone
|
||
else.
|
||
|
||
***** Actions
|
||
|
||
- @Jyoti: should ask Yuri about which JWT are used.
|
||
- @Jyoti: AO for Q3 for the telemetry
|
||
**** SecureX + Secure Client + DI Integration :work:meeting:
|
||
[2021-10-28 Thu 16:32]
|
||
- ref :: https://cisco.webex.com/cisco/j.php?MTID=m3d2fe4735f7151dc690e000c8749ed0e
|
||
|
||
***** Discussion
|
||
****** Abhishek
|
||
|
||
- deployement
|
||
- Secure Client onboarding
|
||
- Secure Client always visible
|
||
- cannot read property from DI when adding module
|
||
- work on feature flag
|
||
.
|
||
@Paul: 1.84 today, so these fixes are going to be for date?
|
||
@Abishek: will more time to develop and test
|
||
.
|
||
****** Nirmesh Patel
|
||
|
||
- Secure Client always visible, real issue
|
||
|
||
**** Weekly Sync: SecureX / Secure Endpoint :work:meeting:
|
||
[2021-10-28 Thu 15:30]
|
||
- ref :: https://cisco.webex.com/cisco/j.php?MTID=m6563218d7c961e691f62c539fc645607
|
||
|
||
What remains?
|
||
|
||
- Martin
|
||
|
||
1-click module setup
|
||
|
||
Restrict them to a region.
|
||
Who was impacted.
|
||
|
||
Nov 13th, for the 1-click module setup is at risk to be delayed.
|
||
|
||
- G2
|
||
|
||
no 1-click => nothing can happen
|
||
|
||
Dependency to deploy Secure Endpoint.
|
||
|
||
- Martin/Namrata
|
||
|
||
Jyoti is in active conversation.
|
||
|
||
- Martin/G2
|
||
|
||
Are we going to change the design?
|
||
|
||
Martin: We don't know Yet
|
||
|
||
- Vlad
|
||
|
||
Pb with Region.
|
||
|
||
An AMP tenant can only talk to 1 SecureX tenant.
|
||
|
||
- Martin
|
||
|
||
Maybe region selection.
|
||
|
||
- Release Nov 11th
|
||
- Relesases v1.85 10-Nov
|
||
|
||
.
|
||
***** Initiated SecureX 1-click module setup for Secure Endpoint
|
||
|
||
|
||
**** SSE =CCO_id= :work:discussion:
|
||
[2021-10-28 Thu 14:52]
|
||
- ref :: https://github.com/advthreat/iroh/discussions/5754
|
||
|
||
So after giving more thoughts on the subject.
|
||
Here are some scenarios:
|
||
|
||
1. A person login via Okta with the email ~user-1@domain.com~
|
||
2. This person want to connect his account, then he must login via Okta
|
||
again but using another Okta account ~user-1@smart-account.com~ for example.
|
||
|
||
In this scenario there are two issues:
|
||
|
||
The first is that we do not control the Okta session.
|
||
The Okta session will keep being the one for ~user-1@smart-account.com~.
|
||
When the user will launch another product he will not use his usual
|
||
~user-1@domain.com~ Okta session.
|
||
|
||
The second, is that we should have a mechanism to understand that on the
|
||
second login, we don't want to login the user, but to merge two different
|
||
IdP accounts.
|
||
|
||
Mainly we will need to develop a new workflow, so a user could merge
|
||
multiple IdP accounts to his current SecureX account.
|
||
|
||
The implications are:
|
||
|
||
- SecureX users should support multiple email addresses. (also note that
|
||
user login via TG have a non verified email addresses and are treated
|
||
separately on different login flows.)
|
||
- We need to support more metas data in the IdP Mappings in general,
|
||
(typically the =CCO_id=). Now, what if a user login multiple times, and has
|
||
two different IdP Mapping with a different =CCO_id=.
|
||
- We will need to provide a new route, that will present a new HTML page
|
||
similar to the login page but with subtle modifications.
|
||
We might, for example, negotiate another login buttons that will behave
|
||
differently (typically a login button forcing the user to use CCO).
|
||
|
||
In the end, it means we should deliver a "Merge a new Login" flow to
|
||
SecureX Accounts. And it doesn't seem to be trivial.
|
||
|
||
*** 2021-10-29 Friday
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 10: Clock summary at [2021-10-29 Fri 18:39]
|
||
| Tags | Headline | Time | | | |
|
||
|--------------+----------------------------------------------+--------+---+------+------|
|
||
| | *Total time* | *8:50* | | | |
|
||
|--------------+----------------------------------------------+--------+---+------+------|
|
||
| | \_ 2021-10-29 Friday | | | 8:50 | |
|
||
| work, chat | \_ AO disucssion + generic discusssions | | | | 1:00 |
|
||
| work, email | \_ Jyoti email about PROD module on INT | | | | 0:14 |
|
||
| work, chat | \_ aide Matt URL encoding | | | | 0:50 |
|
||
| work | \_ code gen docs | | | | 2:48 |
|
||
| work | \_ Customer Manager doc | | | | 2:34 |
|
||
| work | \_ morning tour | | | | 1:06 |
|
||
| work, review | \_ configurable default sort | | | | 0:18 |
|
||
#+end:
|
||
**** CHAT AO disucssion + generic discusssions :work:chat:
|
||
[2021-10-29 Fri 18:39]
|
||
**** PAUSE :pause:
|
||
[2021-10-29 Fri 17:30]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Jyoti email about PROD module on INT][Jyoti email about PROD module on INT]]
|
||
**** EMAIL Jyoti email about PROD module on INT :work:email:
|
||
[2021-10-29 Fri 17:04]
|
||
- ref ::
|
||
|
||
Hi Jyoti,
|
||
|
||
I checked on INT and in our org, there is an AMP module configured with the
|
||
PROD URL.
|
||
|
||
Chris told me we have a security requirement that no production customer
|
||
data can be in INT or TEST.
|
||
|
||
Do you know why this is needed, and if we could use a QA1 URL instead?
|
||
And if not, do you know who we could ask to see if this is still needed?
|
||
If I remember correctly, I think it was used to help makes demos.
|
||
|
||
Because of this I tend to be extra cautious about the
|
||
"allowed-login-origins" parameter (see
|
||
https://github.com/advthreat/tenzin-config/pull/505).
|
||
|
||
I don't want our INT access token to be sent in the wild.
|
||
Even without this module linking to PROD I would prefer not to send the INT
|
||
JWT on 3rd party.
|
||
Because if https://vercel.app is compromised anyone will be able to access
|
||
our INT environment, generally with administrator privileges.
|
||
|
||
Thanks,
|
||
Yann.
|
||
**** CHAT aide Matt URL encoding :work:chat:
|
||
[2021-10-29 Fri 16:14]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
|
||
**** PAUSE :pause:
|
||
[2021-10-29 Fri 16:08]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]]
|
||
**** IN-PROGRESS code gen docs :work:
|
||
[2021-10-29 Fri 16:07]
|
||
- ref :: [[file:~/dev/iroh/README.org::*Rebuild the generated doc][Rebuild the generated doc]]
|
||
**** CANCELED Customer Manager doc :work:
|
||
[2021-10-29 Fri 11:02]
|
||
- ref ::
|
||
**** morning tour :work:
|
||
[2021-10-29 Fri 09:56]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org::*Fortuneo: Amundi World (CW8)][Fortuneo: Amundi World (CW8)]]
|
||
**** REVIEW configurable default sort :work:review:
|
||
[2021-10-29 Fri 09:33]
|
||
- ref :: https://github.com/threatgrid/ctia/pull/1163
|
||
|
||
** 2021-W44
|
||
|
||
*** 2021-11-03 Wednesday
|
||
#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work"
|
||
#+caption: Table 11: Clock summary at [2021-11-03 Wed 18:16]
|
||
| Tags | Headline | Time | | | |
|
||
|-------------+------------------------------------+--------+---+------+------|
|
||
| | *Total time* | *7:13* | | | |
|
||
|-------------+------------------------------------+--------+---+------+------|
|
||
| | \_ 2021-11-03 Wednesday | | | 7:13 | |
|
||
| work | \_ Engagement pulse Teamspace | | | | 2:05 |
|
||
| work | \_ cleanup code | | | | 0:29 |
|
||
| work, email | \_ SSE potential bug | | | | 0:37 |
|
||
| work | \_ GH notif tour | | | | 0:27 |
|
||
| work, chat | \_ Discussion Guillaume | | | | 2:03 |
|
||
| work, email | \_ OIDC conf in Okta | | | | 0:01 |
|
||
| work, chat | \_ webex tour | | | | 1:31 |
|
||
#+end:
|
||
**** IN-PROGRESS Engagement pulse Teamspace :work:
|
||
[2021-11-03 Wed 16:11]
|
||
- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/test_helpers/tk.clj:::conf (conf port)})]]
|
||
**** IN-PROGRESS cleanup code :work:
|
||
[2021-11-03 Wed 15:42]
|
||
**** EMAIL SSE potential bug :work:email:
|
||
[2021-11-03 Wed 15:05]
|
||
Hi Yann,
|
||
|
||
We noticed that we have two tenants created in SSE APJ stack for the AMP
|
||
company ID (51ab0c3e-381b-4169-ab63-b031c685f441).
|
||
One of them with spID AMP-APJ (created on 2020-12-01 11:58:50 UTC) and the
|
||
other with spID SXSO (created on 2021-08-24 09:25:07 UTC).
|
||
|
||
I see from the logs the user ID token that came to Anubis had “SXSO”
|
||
instead on AMP-APJ resulting in this state.
|
||
Wondering what caused the spID to change in the ID token from AMP-APJ to
|
||
SXSO on 2021-08-24 ?
|
||
Could there be a possible issue here ?
|
||
|
||
#+begin_src
|
||
TX_LOG 192.168.25.199 [2021-08-24T09:25:07Z] GET /scim/v2/Organizations?filter=spId+eq+SXSO+and+orgInfo.companyId+eq+51ab0c3e-381b-4169-ab63-b031c685f441 200 774 0.0076 aba74caa-ba90-43d3-b1d2-7066750a6754 -
|
||
#+end_src
|
||
|
||
|
||
**** IN-PROGRESS GH notif tour :work:
|
||
[2021-11-03 Wed 14:38]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-03 Wednesday][2021-11-03 Wednesday]]
|
||
**** CHAT Discussion Guillaume :work:chat:
|
||
[2021-11-03 Wed 10:00]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*OIDC conf in Okta][OIDC conf in Okta]]
|
||
**** EMAIL OIDC conf in Okta :work:email:
|
||
[2021-11-03 Wed 09:59]
|
||
**** CHAT webex tour :work:chat:
|
||
[2021-11-03 Wed 09:58]
|
||
<<<<<<< HEAD
|
||
|
||
*** 2021-11-04 Thursday
|
||
**** MEETING Weekly meeting :work:meeting:
|
||
[2021-11-04 Thu 17:00]
|
||
- ref ::
|
||
***** Agenda (to discuss about)
|
||
Make a tour of everyone work.
|
||
***** Notes
|
||
Welcome
|
||
|
||
Me. ... (see tracker .org) + git weekly
|
||
Olivier. PR for oauth2-client-demo, waiting for review
|
||
Matt. logs for proxy
|
||
- auditability of the proxy; kibana dashboard
|
||
Mark. SSE passthrough, and AO
|
||
|
||
***** Actions
|
||
- review Olivier's PR
|
||
**** IN-PROGRESS Continu code cleanup :work:
|
||
[2021-11-04 Thu 15:40]
|
||
- ref :: https://github.com/advthreat/iroh
|
||
**** IN-PROGRESS update Secure Endpoint client :work:
|
||
[2021-11-04 Thu 15:38]
|
||
- ref :: https://github.com/advthreat/iroh
|
||
|
||
Secure Endpoint (or AMP for Endpoint)
|
||
|
||
=client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06=
|
||
**** MEETING Weekly Sync: SecureX / Secure Endpoint :work:meeting:
|
||
[2021-11-04 Thu 15:08]
|
||
- ref :: https://cisco.webex.com/cisco/j.php?MTID=m0a5157ed81ded94305da1bae743352fc
|
||
***** Agenda (to discuss about)
|
||
***** Notes
|
||
10-Nov:
|
||
|
||
- AC6: on/off configuration within Secure Endpoint UI
|
||
|
||
1-click module setup 8/9-Dec.
|
||
|
||
- retention of module ID and secureX org id in SE
|
||
- update of legacy module upon integration
|
||
|
||
***** Actions
|
||
**** IN-PROGRESS code :work:
|
||
[2021-11-04 Thu 09:51]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-04 Thursday][2021-11-04 Thursday]]
|
||
**** CHAT Webex chat tour :work:chat:
|
||
[2021-11-04 Thu 09:50]
|
||
|
||
*** 2021-11-05 Friday
|
||
**** MEETING SecureX Registration :work:meeting:
|
||
[2021-11-05 Fri 15:33]
|
||
- ref :: https://github.com/threatgrid/response/issues/821
|
||
***** Agenda (to discuss about)
|
||
- Discuss feature
|
||
- Find a date
|
||
***** Notes
|
||
|
||
... bad org creation
|
||
|
||
1. User has SXSO account don't have invitation
|
||
|
||
Only show them active invitations.
|
||
If too many invitations in the DB.
|
||
|
||
2. second workflow, check email domain
|
||
|
||
if matches other orgs, present the orgs + asks for invitation
|
||
|
||
3. Limit access from "public" email domain
|
||
|
||
***** Actions
|
||
**** IN-PROGRESS tour :work:
|
||
[2021-11-05 Fri 11:09]
|
||
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Code][Code]]
|
||
**** DONE Code :work:
|
||
[2021-11-05 Fri 11:08]
|
||
**** EMAIL Help John doing a cron :work:email:
|
||
[2021-11-05 Fri 09:09]
|
||
- ref :: mail: How can I query an IROH endpoint programatically?
|
||
|
||
#+begin_quote
|
||
On 4 Nov 2021, at 22:23, John Jardine (johjardi) <johjardi@cisco.com> wrote:
|
||
|
||
Hi,
|
||
|
||
To support iroh-incident scaling based on a queue-depth metric ( Tenzin Issue 1553 ) I am thinking about creating a task that will be run every N minutes to query the endpoint. To do this the task would have to authenticate and I don’t know how to do that for an automated tool. Not sure if the route makes a difference, the metrics are available here: /iroh/admin/queue/status-report/incidents
|
||
|
||
Can you give me any guidance or point me to any docs on how to do this?
|
||
|
||
Thanks,
|
||
John J.
|
||
#+end_quote
|
||
|
||
John,
|
||
|
||
The endpoint will not be =/iroh/admin/…= but =/admin/…= which mean it is only
|
||
reachable via the VPN, but I guess you will make the request from the
|
||
internal network.
|
||
So you should be able to reach https://iroh-adm.int.iroh.site/admin/
|
||
directly.
|
||
|
||
In order to make a call you need an OAuth2 client with the following scope:
|
||
|
||
=iroh-master/queue/incidents:read=
|
||
|
||
I created one client per environment for you;
|
||
|
||
- INT (client-79d54f25-2a71-4bcb-b057-001f53091b2f)
|
||
- TEST (client-c1a00641-45e0-4090-b80e-ce87b35a84b3)
|
||
- PROD NAM (client-22b0f44f-3d7e-4b14-a11b-5cfa35f86b83)
|
||
- PROD EU (client-b56530b0-b16c-40b2-bb77-850e32e06e8b)
|
||
- PROD APJC (client-502fb0a3-605c-4b1b-b91d-07980d5a1f2f)
|
||
|
||
I used the same password for all of them.
|
||
|
||
***** Password
|
||
|
||
The password is here:
|
||
|
||
-----BEGIN PGP MESSAGE-----
|
||
|
||
hQIMA2UoHNQCOfATARAAsDn3KJpJprlK60eUi2C4ol/2B5iCpIud6oYkeAB09yGe
|
||
Wt8ditdZdLKt+EV+Jw8QB6O+WDKl2+fN0IZGVzmzSehf6+ittlNUdeX2qJxx6RoE
|
||
Btw2VdcZIj9gzFxYf9Y9rf/9Zpp0Yc/NRBK9kKAwnPbMO0lytHUsWKTA8OcfBawZ
|
||
mOzcnhOpZeUxneEn1LKbiBSMfGsWQnPnUfme8vSwrnP3vOrgSio5rL3LwLsIz4Bq
|
||
z7yFdq8HBiF6z7NfJaxJZBljO/YDmYfjnwq024s24E+Fn9Bsdra85h1smGj+QIVE
|
||
hVIvU8fU6s8MpWuvQVNBFQXoF5IqxfaH4Z0p8as0X3qSmd4f8x3P/XdmklGAzUQ9
|
||
Za5SDn1mkJJvVK6jCRC8uf+M8nufZU/ORcFqu6eVc9WWgDJYIc93vyNMWKBnCoYl
|
||
6GMC/IpKtveWUBaa28V76sSjjunv9gNHmYNGjwoLqd7lCLKppoQtPNwVFmHKJ16o
|
||
iW0rVYoIypleOuevkEn3barYy1N6wxhZrFcHOqUMWH+kZnPjDHcTOQxCEyYDVULw
|
||
uQclzZinR1vF4PeLIdFn74n2npXjFkCkaZa0ev10QROo1Tk4O+uv+5vAFVjsm5Fh
|
||
RT3eXVGu87qnDu67fWTQjV2F7tLvYAAYdb47N9OyQjQoglPYdvqfoRFufL7oNluF
|
||
AgwDfS7loNnfM+IBEACVwXlc001cWQw9f8AV37sySKWyhB9N4SG175lu7+T9DtwH
|
||
/WDEgYERv9Fhcg7EwVclSFwUreg/PmY8cazIc1Sy6Z+Nv2TH4rp17jcy7zlZCZMT
|
||
/twmW2MvgXS42qnb7jcvb3jQ9YTJs6fHV+PCMEsfjYKq+aSGr/ton/zFGqPIcLtF
|
||
G3vZ62cyoxYebSNwXMkB9W+2t30Cg0xpTwas+3V7dkscB+sIU+KIoTsD2AqMfgyW
|
||
Cia/U8H22qZiz8ugeod/gdsZytj4e5k72Yo2fm6owpHi4i+V/p333QbbP1G1/bzo
|
||
nfUh7wT4jiApUbrJIDWebsJqi9bv3z8zLiy72BRATgRM2vd3b1Q0y83/PcC+XkT2
|
||
l3/GRRScqM9ewVziol/BzSH1jBj6oA/3VJil8YEZsNhGhX15Bs9ZLwAy2HLSzJ8G
|
||
8nVxNk6P0RRhD9m+Ue4Zb5PsH7CG21WOZTGWn/I9UXCHl7LnO4yT+qfESNDDzodF
|
||
F7Zo7E5yheTLRsXxp1f4c5cGoZvgDU293s/U3DhZt5Y6z5vN3L/IDkBap2X6OWkp
|
||
/HfIy3L0rvKwoYn3w8x+uCO0DpzUuZnjLpdarPhTWkiVj8uQkU80t3snHpvlwjEv
|
||
Hzcuzz2XkDWwzlaJEUuUJ1+my6a41fDHdNHYqSryrVLkpMLxwz1PqNi3NomhG9Lp
|
||
ARM67Ggjb520Cf5pmyj5cBZK57FMPwN2H/blT5GRcjFyfzl7H7Y+Fq9etcnZMIv+
|
||
mJAFpqCoHasnEQKL5D4huxQDEsXqLvxO3/u79GU1w0AQgqg7KJLP6b3DRWAWI/Kl
|
||
7MK95j5EPrrvl69AErdCOH+Pfqvzi1CDb4Zy2lKuMGGQRgqyLubIIdZQkzX6YLD+
|
||
xuxxyiQ+P2imToe1KGGX39AFbdXuakqBgKiSLEU7MWwEAEd/LfDuuGV+aiJ83SZI
|
||
ZWZGSe5ThdAsdWoHYcCtFgynhd+QnN5hW//ODNU8IeIPhjZRUxe2CQbAEQgfUXif
|
||
vHn+JfcSo1pf7BcOnzTOlgTqFn6NmX/SYlAL1kpG2YwcJFK3ZRK2a/0db3DbeLXp
|
||
2Nk40WD1tOdt8FDZHOXYRXFhmV6K/nEf56g7XMHnaESeEsQtzFvIq+SSxx0IkS+h
|
||
gaoAO+Mz9SKoxWcabTBHimhDxqemmtDbTdk7iHQZZhmei0DJxSdxWzwj9nYeKggK
|
||
aBxof2wuZAnki3nTlpy+p6S2S/TxP3wSZ9wMkBNkYRzWpTD5+fEqOhHtLgtyp2/M
|
||
a6YrH4b1uvk86Sz4Uk18ZuvdgoVMx5UjUnmfRxEWNrZEhatr+y4nH1PPCVsVPvXO
|
||
N3AyHCJWYGwUe+AXNegKJ8QJr/a+T2U/rVCujVoCUBGqebtm5L0RV9+1xCWmyeog
|
||
wuGXF5duRcdMNr+dAHvrdUhQIyBm4cFWYHM97lP0HkOcOM+wJjSDmT5VorCW952g
|
||
LPANVlddb4vO1TXvwjw7+yZFcpYH9pZtIC1Wp5a+UMvPewoPY2xZfh1ZsVJxUqp9
|
||
FNHFEvRJuZzq80MIGY9s1rXrKiuAWJDGqEN8rlObuwNFrFfrDLDUgEhply/3Qcvi
|
||
n73Ag7cleOs7yF4=
|
||
=iyzN
|
||
-----END PGP MESSAGE-----
|
||
|
||
***** How to use
|
||
|
||
I made a demo shell script for INT:
|
||
|
||
#+begin_src bash
|
||
#!/usr/bin/env bash
|
||
CLIENT_ID="client-79d54f25-2a71-4bcb-b057-001f53091b2f"
|
||
CLIENT_SECRET="..."
|
||
ACCESS_TOKEN=$(curl -s -X POST "https://visibility.int.iroh.site/iroh/oauth2/token" -d "grant_type=client_credentials" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -u "$CLIENT_ID:$PASSWORD"|jq '.access_token'|sed 's/"//g')
|
||
curl -X GET "https://iroh-adm.int.iroh.site/admin/queue/status-report/incidents" -H "accept: application/json" -H "Authorization: Bearer $ACCESS_TOKEN"
|
||
#+end_src
|
||
|
||
returns
|
||
|
||
#+begin_src bash
|
||
❯ ./demo.sh
|
||
[{"queue-name":"incident-sessions","total-sessions":0,"total-processing-sessions":0,"total-pending-sessions":0,"factor-increase-needed":0}]
|
||
#+end_src
|
||
|
||
What this does is:
|
||
|
||
1. retrieve an access token with the client (client-id + client-password)
|
||
2. Call the =/admin/queue/status-report/incidents= route
|
||
|
||
An important remark; notice the domain name is different between the admin
|
||
and non admin calls. For INT and TEST, you just need to replace
|
||
visibility by iroh-adm.
|
||
But in prod, you need to use a completely different URL.
|
||
|
||
Here is a JSON where I store the relations:
|
||
|
||
#+begin_src js
|
||
{"envs": [{"name":"INT",
|
||
"visurl":"int.iroh.site",
|
||
"internalurl":"int.iroh.site"},
|
||
{"name":"TEST",
|
||
"visurl":"test.iroh.site",
|
||
"internalurl":"test.iroh.site"},
|
||
{"name":"NAM",
|
||
"visurl":"amp.cisco.com",
|
||
"internalurl":"us-east-1.prod.iroh.site"},
|
||
{"name":"EU",
|
||
"visurl":"eu.amp.cisco.com",
|
||
"internalurl":"eu-west-1.prod.iroh.site"},
|
||
{"name":"APJC",
|
||
"visurl":"apjc.amp.cisco.com",
|
||
"internalurl":"ap-northeast-1.prod.iroh.site"}]}
|
||
#+end_src
|
||
|
||
Happy hacking!
|
||
Yann.
|
||
|
||
***** Details
|
||
|
||
-----BEGIN PGP MESSAGE-----
|
||
|
||
hQIMA30u5aDZ3zPiARAAqfa80rkkVQy2HpHd1tOZZ1NZaaSMwrWRQKXTfkD6fYpl
|
||
HSOfyK9+9lKBV9Uz0H+l5DclDuenJ4akAMyaF5hhr7NfPZQ9exmnkODLDnpDTLoD
|
||
adm7ArrQnowJHvMEH4ogxoWN902Q9d2apOnrHYr5JmvEc0rwv1dQ2IuJeOLEpZ33
|
||
IYqP/rnOlhPZZd7lgyHGw2iRDU3XZfkyivPQtsWZqY6XWIoL2wNj/HlomtrcPLYj
|
||
RxErXBOMS8GRr5FYeDyp+aGo3IpYMMMFffGCqew8yvphDhRYiO2SrQtTIp2+207j
|
||
V7/FSp3dp9xhsLsOM4fzFuCe9UctjbZma9QngkRjUSDU7D0rXGoKydecau4TlBy7
|
||
ZPDOlg+6JWbwXM6qXJNaYAJ6Ii3E2xGYdpBMWBRn/j9RzkS68wKeoQelySV3aDSi
|
||
y00bbq/dq1Qh+tqyi7X8wj5tGf21Ri/Yd9D6DGWVTNvt0sj9CB55v3UfgZn5gcIy
|
||
2Njdb96pO+7VGgspPf6JnwJdCFq97O9cLFK985uJpmGrYvjN5qMA2z6PewdL9PW/
|
||
bPNCXMcfwwbJxqZKcfqoJUcRAQyatPDKvPgHXDgmgRtI3oMjwhWBDl5nmYgwjSDO
|
||
uiKHNxMNGO2BMFWnJ3Qi1OTjG98+nWwmGoF6VlyzxAZtIjr2sGLrrbogreEA4XrS
|
||
6QGqDwPhIf2GA0blOoiMKDVUxstru6kiQSOL0EmlWWDgCYamUGgiWUy5nZiveRDT
|
||
JUdHsgLzIBrDElaZfxOim10PO0AkQgplMqSGfWI7LQ3fEPiIuXQFhXZBmBu+DC7C
|
||
j7+QOu6DlhyPNVL0QiI4OeucizSWamcHYKL1IVC05XYm0FITf4oKiLfiFj/upleI
|
||
736qOe9x4bsrS5ZUQmdmpCkv3Q0Yde3ATXOHxxspgOlJ55CCXRTM8J4Fcgwf38/O
|
||
zM7L9Ly/H+0g52PCsyQRMmfYigVVJf14cjcyuBEN2rie32qs91ajiuIZpG3ECRJ0
|
||
R2y4nnCKM+G8oM+23pgIWdX0ei6RAFnGANRcM7It/Ni21YcafxgkzLFJ6clMELi5
|
||
vIzy9oAG85BK7Kwo/dxe3r3wQPC8cEmt9vRdR8v5rShYp0YTX5rJXZ4Kq2U6pGVo
|
||
msxo/LQhvWsMZ2UPRIsDcyIHL36LRxdy/h7hkr6BJK2o1YwSwK0e6r4KbYlfyaij
|
||
SiBDjuxwBFFkjAbnd8LoK0JDoEid9Eg7VXoFnDgq3X3Vr/yLRjA5yLkVgDuFdhgP
|
||
zJ3k1ly4NVQTQuTalNcXY7JXV/yhP+EaxxJ09rudW0192O4EIAo8IXyPYxWmELqa
|
||
yrnulQ7+g2l3DCS+ZrWBSRDFOJZSaWIPaU0xr2jXafy1wMqreDPE+YFQ2cnvt1J7
|
||
RLdarjU7hh5vkmpxiaezi91+YFC8b+8JAb58f7MndaZfyTYK4ww+pjSOLwIg2EgE
|
||
j9xuQRu5dy9xOKLL0jj3EBYrtH9eoGTtjrC3ycm0tIQTY4BJgGQ66KjsFfSzJ6gM
|
||
FHONJHlcaIeEWsnMMKm42A15jZG0AjH1LUbnEc6KOHzwySQ28IjJvDKY2kU3Wt6R
|
||
KoxbIox8fBvD8QunG+creFmYqG1IgFIodF9QgEdleRLJCKhB95HCCm3/qdSn1362
|
||
6LyIClb09bNImrPo974yrZ/hnel8MNXPQyQJSCtqOUUI8JhRBKi0IGi07+TVIeqi
|
||
5yakl8HSxnkbT0n6KLa0ZGOKFD5d0qXjwl1s6hnI4JTKCGDOyjHptVpjxsKT08jO
|
||
1lzutH67duk6Z38Qr1fpv9iAgSCsnfgLaKC/0jbIsPsOXTpvODiHK+liAbQiqUnn
|
||
XqRbQ2x4MavIy50zutVPduNgj72IUYvGfx1WO+mKt1uymx5DXidYoLAdCIru
|
||
=4Qus
|
||
-----END PGP MESSAGE-----
|
||
=======
|
||
>>>>>>> e714315a8c096570b2629793969eec54e9fe2450
|
||
|
||
** 2021-W45
|
||
|
||
*** 2021-11-08 Monday
|
||
**** EMAIL inscription BAC Anna :work:email:
|
||
[2021-11-08 Mon 12:22]
|
||
- ref ::
|
||
|
||
** 2021-W46
|
||
|
||
*** 2021-11-17 Wednesday
|
||
**** MEETING Weekly meeting :work:meeting:
|
||
[2021-11-17 Wed 17:30]
|
||
- ref ::
|
||
**** MEETING Weekly :work:meeting:
|
||
[2021-11-17 Wed 17:05]
|
||
- ref ::
|
||
|
||
*** 2021-11-18 Thursday
|
||
**** MEETING Alan Interview :work:meeting:
|
||
[2021-11-18 Thu 16:29]
|
||
- ref ::
|
||
***** Agenda (to discuss about)
|
||
***** Notes
|
||
***** Actions
|
||
**** CHAT Small text about the breaking PR :work:chat:
|
||
[2021-11-18 Thu 11:42]
|
||
|
||
Good morning everyone!
|
||
|
||
I wanted to drop a word about this PR: https://github.com/advthreat/iroh/pull/5998
|
||
|
||
An interesting aspect of this PR was that a change (that first appeared to be minor)
|
||
in some namespace impacted a failure in a ns that did not depend
|
||
transitively of the first.
|
||
|
||
I wanted to improve our build time by filtering the test by dependent ns only.
|
||
It would have missed this build failure.
|
||
So I still think this is a good idea to have an optimized test for
|
||
branches, but the merge into master should run all the tests.
|
||
|
||
**** MEETING Alan Interview :work:meeting:
|
||
[2021-11-18 Thu 09:56]
|
||
- ref ::
|
||
***** Agenda (to discuss about)
|
||
|
||
- in tupelo, why name it =glue= instead of =mconcat=?
|
||
- Why =unwrap= and not =flatten=?
|
||
|
||
***** Notes
|
||
***** Actions
|
||
|
||
*** 2021-11-19 Friday
|
||
**** MEETING Monthly Engineering Meeting :work:meeting:
|
||
[2021-11-19 Fri 17:02]
|
||
- ref ::
|
||
.
|
||
|
||
|
||
***** Updates
|
||
***** Release Status
|
||
|
||
- Issue with GlaDoS deployment, 1.86 done yesterday.
|
||
- Issue with AO, pb with cross-launch.
|
||
|
||
***** Services
|
||
|
||
- High Impact Incident
|
||
- Background support for DI
|
||
- Added auditability API gateway
|
||
|
||
Will focus on replicating/synchronize across the product of incidents.
|
||
|
||
** 2021-W47
|
||
|
||
*** 2021-11-23 Tuesday
|
||
**** MEETING DI Secure Client weekly PO meeting :work:meeting:
|
||
[2021-11-23 Tue 16:08]
|
||
- ref ::
|
||
***** Actions
|
||
|
||
- [ ] Apparently some clients scopes and authorization to do.
|
||
|
||
** 2021-W48
|
||
|
||
*** 2021-11-30 Tuesday
|
||
**** MEETING Simplify login page :work:meeting:
|
||
[2021-11-30 Tue 16:01]
|
||
|
||
https://github.com/advthreat/GLaDOS/issues/2555
|
||
|
||
*** 2021-12-02 Thursday
|
||
**** MEETING Weekly IROH-Service Team meeting :work:meeting:
|
||
[2021-12-02 Thu 17:04]
|
||
|
||
@Mark most special people are leaving.
|
||
|
||
@Jyoti about Al. Come as a surprise and a chock.
|
||
Certain there were politic about it.
|
||
Start with UI & UX.
|
||
|
||
Must not be done in silos.
|
||
I has to be implementable.
|
||
|
||
@Mark
|
||
|
||
I feel that with AO with should have blame post-mortem.
|
||
Never run all the way in TEST.
|
||
They never talk to us about it.
|
||
|
||
Discussion about QA
|
||
|
||
@Mark
|
||
Possible QA tested it and was never informed something will change.
|
||
A retro for AO integration.
|
||
|
||
***** Notes
|
||
|
||
- Working on the refresh token DB (token grants)
|
||
- Regarding the registering simplification I will need the work done by Olivier
|
||
To search users by domain name email.
|
||
- We will need a pass of technical design. We will need another entities
|
||
about requested invitations. And yet another flow to integrate an
|
||
existing SecureX org.
|
||
|
||
|
||
**** MEETING SecureX / Secure Endpoint Alignment :work:meeting:
|
||
[2021-12-02 Thu 15:59]
|
||
***** Actions
|
||
Create a queue of requested invites.
|
||
Admin can approve the request, the user is added to the org.
|
||
A confirmation email is sent.
|
||
|
||
** 2021-W49
|
||
|
||
*** 2021-12-09 Thursday
|
||
**** MEETING Weekly Team Meeting :work:meeting:
|
||
[2021-12-09 Thu 17:18]
|
||
- ref ::
|
||
.
|
||
|
||
|
||
***** Project Board
|
||
|
||
****** Enrich API Enhancement
|
||
Discussion
|
||
****** Webhooks
|
||
****** Hiring
|
||
no professionnal experience in Clojure
|
||
***** Remarks
|
||
|
||
IDB Decommission.
|
||
Meeting with Geetha next week.
|
||
|
||
How can I do that?
|
||
|
||
***** Actions
|
||
IDB Decommission test Monday
|
||
|
||
** 2021-W50
|
||
|
||
*** 2021-12-13 Monday
|
||
**** MEETING OIDC AO :work:meeting:
|
||
[2021-12-13 Mon 17:02]
|
||
- ref ::
|
||
|
||
April Ping fed expires.
|
||
Is that still possible?
|
||
Also no expertise.
|
||
|
||
We had some action items. Where do we stand?
|
||
|
||
Are we confident?
|
||
Priority across the teams.
|
||
|
||
TG and CSA.
|
||
|
||
Just CSA and TG IdP.
|
||
***** Action
|
||
|
||
Continue test results after Holidays.
|
||
- Test CSA
|
||
- Test TG (direct OIDC)
|
||
|
||
Sync up after shutdown.
|
||
If success talk to QA to prepare tests.
|
||
*** 2021-12-15 Wednesday
|
||
**** MEETING Estimate New Registration Workflow :work:meeting:
|
||
[2021-12-15 Wed 16:29]
|
||
- ref :: https://github.com/advthreat/iroh/issues/6076
|
||
|
||
***** Prevent User to login with public email page
|
||
|
||
Should propose the user to login via another account (so use logout).
|
||
|
||
Need templates.
|
||
@Jilian will do the templates.
|
||
***** Add an allow-list to pass throught the blocklist (@gmail,,,)
|
||
|
||
1.89 Feb 2.
|
||
|
||
**** MEETING IDB Decomissioning :work:meeting:
|
||
[2021-12-15 Wed 15:59]
|
||
- ref ::
|
||
***** Agenda (to discuss about)
|
||
***** Notes
|
||
***** Actions
|
||
|
||
** 2021-W51
|
||
|
||
*** 2021-12-21 Tuesday
|
||
**** CHAT Dar about using UI Components in the login pages :work:chat:
|
||
[2021-12-21 Tue 10:20]
|
||
|
||
#+begin_quote
|
||
@Dar
|
||
Hey Yann, a question came up in our weekly sync about the login flows…
|
||
now that they're getting a bit more sophisticated wouldn't it be better to
|
||
start using common UI components rather than taking snapshots/hard-copies
|
||
of styles and generating one-off templates?
|
||
what are the security concerns around client-side rendering the auth UI?
|
||
#+end_quote
|
||
|
||
|
||
Hi Dar,
|
||
|
||
So to answer the question historically.
|
||
First, we didn't have any login page.
|
||
It was 100% hosted in CTR UI.
|
||
I just provided the route to create the login links (and this could still
|
||
be used today and it is in the new login page).
|
||
|
||
We faced many bugs (most of them related to URL encoding), and thus decided
|
||
to close the gap by building an hosted login page.
|
||
That way I can 100% control the behavior and have lot of tests to check url
|
||
encoding related bugs.
|
||
Do not forget that in CTR you often want to deal with URL with very complex
|
||
URL fragments that contain a representation of the investigation, imagine
|
||
text with carriage return, URL, emails, etc…
|
||
|
||
Even recently we experienced subtle bugs. And the solution was to get rid
|
||
as much as possible of the javascript code that handled the url parsing and building.
|
||
Now, this is handled via the backend on the login page.
|
||
|
||
So the 1st reason to host the login page was convenience and bug fixing and
|
||
not necessarily security.
|
||
|
||
Regarding security, I was afraid to introduce a security bug because, the
|
||
login page is clearly a nice entry point for security attack.
|
||
So I tried to be as conservative as possible.
|
||
So no js when possible.
|
||
And if we need to use js, do not use any lib, just basic javascript so the
|
||
code is easy to understand and debug.
|
||
|
||
There is another complexity to keep in mind.
|
||
For historical reason, for now, there is no "session" when the user has
|
||
logged in via the IdP but hasn't yet selected a user and thus is not logged
|
||
in SecureX.
|
||
Right now, we handle this state with a token in the URLs.
|
||
And this token can be consumed only once.
|
||
By that I mean, in the account selection page you will have links looking like:
|
||
|
||
- https://..../select-org-1?code=XXX
|
||
- https://..../select-org-2?code=XXX
|
||
- https://..../select-org-3?code=XXX
|
||
|
||
When the user will click on the first link; the code =XXX=
|
||
will be consumed and the other links will not work.
|
||
So I ensure that the user need to perform a login workflow again to login
|
||
into another org.
|
||
|
||
So that being, said.
|
||
I think now we are in a new situation where I think we could totally have a
|
||
lot more convenient system.
|
||
|
||
1. I need to create a notion of session when the user is logged in in the
|
||
IdP but has not selected a SecureX account.
|
||
2. Use more js to ease the UI work, typically, UI components. The limit
|
||
being that the CSP header are restrictive in the sense that we must host
|
||
the JS at the same URL, and we should probably still generate data via
|
||
the backend, maybe still keep a bit of HTML.
|
||
|
||
In fact, we need the backend to be able to provide a set of informations to
|
||
the UI and take care that no XSS could be possible.
|
||
I think the main risk is that, the login page must support complex query
|
||
parameters.
|
||
So great care should be taken in the parsing of these query parameters.
|
||
To give a concrete example:
|
||
|
||
You should be able to generate a page for a URL looking like:
|
||
|
||
https://securex...cisco.com/login?redirects=<URL2>
|
||
|
||
Where URL2 should be encoded correctly, and could itself be complex:
|
||
|
||
URL2: https://visibility...cisco.com/investigate#q=<QUERY>
|
||
|
||
Where QUERY should be encoded an could contain urls, emails:
|
||
|
||
QUERY:
|
||
|
||
#+begin_src
|
||
url:http://attack.com/foo?param=something-complex
|
||
foo@example.com
|
||
some random text
|
||
carriage return, unicode, emojis? etc…
|
||
#+end_src
|
||
|
||
So to present the login page, every button should take care that adding a
|
||
=<script>= somewhere will not generate an XSS, that the encoding is correct.
|
||
And that login link could be forged by an attacker, and it should not be
|
||
possible to hijack the redirection to a non allowed login endpoint.
|
||
Because in that case, the endpoint will get a =code= from which we could
|
||
retrieve the creds of the user.
|
||
|
||
To me this totally doable, and I think should be the preferred route.
|