Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Production deploy of 2020-03 through 2020-11 #349

Merged
merged 78 commits into from
Nov 11, 2020
Merged

Production deploy of 2020-03 through 2020-11 #349

merged 78 commits into from
Nov 11, 2020

Conversation

gene1wood
Copy link
Contributor

@gene1wood gene1wood commented Nov 11, 2020
edited
Loading

This deploys the following PRs to production

This should be a near no-op for production which has already been manually updated

$ ./uploader_rules.py --dry-run --rules-dir ../auth0-deploy/rules
[13:42:40] DEBUG [__main__.<module>:81] Got access token for client_id:2t3y42Ads6RTXoWOulizFy0VedhUDQIa
[13:42:40] DEBUG [__main__.<module>:88] Loaded 25 remote rules from current Auth0 deployment
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/temporary-LDAP-re-reintegration.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/temporary-LDAP-re-reintegration.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in temporary-LDAP-re-reintegration :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/SAML-Convercent-Community.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/SAML-Convercent-Community.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in SAML-Convercent-Community :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/configuration-dumper.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/configuration-dumper.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in configuration-dumper :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/AWS-Federated-AMR.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/AWS-Federated-AMR.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in AWS-Federated-AMR :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/SAML-Braintree-attribute.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/SAML-Braintree-attribute.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in SAML-Braintree-attribute :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/force-ldap-logins-over-ldap.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/force-ldap-logins-over-ldap.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in force-ldap-logins-over-ldap :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/SAML-configuration-mapping.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/SAML-configuration-mapping.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in SAML-configuration-mapping :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/duosecurity.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/duosecurity.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in duosecurity :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/HRIS-is-staff.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/HRIS-is-staff.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in HRIS-is-staff :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/activate-new-users-in-CIS.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/activate-new-users-in-CIS.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in activate-new-users-in-CIS :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/Everyone-is-in-the-everyone-group.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/Everyone-is-in-the-everyone-group.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in Everyone-is-in-the-everyone-group :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/Global-Function-Declarations.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/Global-Function-Declarations.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in Global-Function-Declarations :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/default-deny-for-maintenance.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/default-deny-for-maintenance.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in default-deny-for-maintenance :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/SAML-gcp-gsuite.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/SAML-gcp-gsuite.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in SAML-gcp-gsuite :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/security-block-ips.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/security-block-ips.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in security-block-ips :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/CIS-Claims-fixups.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/CIS-Claims-fixups.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in CIS-Claims-fixups :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/AccessRules.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/AccessRules.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in AccessRules :
[13:42:40] DEBUG [__main__.<module>:175] --- auth0-AccessRules

[13:42:40] DEBUG [__main__.<module>:175] +++ local-AccessRules

[13:42:40] DEBUG [__main__.<module>:175] @@ -177,6 +177,7 @@

[13:42:40] DEBUG [__main__.<module>:175]          }
[13:42:40] DEBUG [__main__.<module>:175]  
[13:42:40] DEBUG [__main__.<module>:175]          // Check if the user is authorized to access
[13:42:40] DEBUG [__main__.<module>:175] +        // A user is authorized if they are a member of any authorized_groups or if they are one of the authorized_users
[13:42:40] DEBUG [__main__.<module>:175]          if ((app.authorized_users.length > 0 ) && (app.authorized_users.indexOf(user.email) >= 0)) {
[13:42:40] DEBUG [__main__.<module>:175]            authorized = true;
[13:42:40] DEBUG [__main__.<module>:175]          // Same dance as above, but for groups
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/SAML-Navex-partition-id.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/SAML-Navex-partition-id.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in SAML-Navex-partition-id :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/temporary-hrdata.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/temporary-hrdata.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in temporary-hrdata :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/SAML-lgtm.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/SAML-lgtm.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in SAML-lgtm :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/temporary-update-at-conformance.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/temporary-update-at-conformance.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in temporary-update-at-conformance :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/restricted-users.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/restricted-users.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in restricted-users :
[13:42:40] DEBUG [__main__.<module>:175] --- auth0-restricted-users

[13:42:40] DEBUG [__main__.<module>:175] +++ local-restricted-users

[13:42:40] DEBUG [__main__.<module>:175] @@ -35,7 +35,7 @@

[13:42:40] DEBUG [__main__.<module>:175]      // Remove all group but what's allowed (IntranetWiki) just in case
[13:42:40] DEBUG [__main__.<module>:175]      console.log(`User is restricted, wiping group data for ${user.user_id}`);
[13:42:40] DEBUG [__main__.<module>:175]      user.app_metadata = user.app_metadata || {};
[13:42:40] DEBUG [__main__.<module>:175] -    const groups_to_add = ['IntranetWiki', 'restricted_users'];
[13:42:40] DEBUG [__main__.<module>:175] +    const groups_to_add = ['IntranetWiki'];
[13:42:40] DEBUG [__main__.<module>:175]      user.app_metadata.groups = groups_to_add;
[13:42:40] DEBUG [__main__.<module>:175]      user.groups = groups_to_add;
[13:42:40] DEBUG [__main__.<module>:175]      user.ldap_groups = groups_to_add;
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/aai.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/aai.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in aai :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/link-users-by-email-with-metadata.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/link-users-by-email-with-metadata.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in link-users-by-email-with-metadata :
[13:42:40] DEBUG [__main__.<module>:124] Reading local rule configuration ../auth0-deploy/rules/SAML-test-mozilla-com-google.json
[13:42:40] DEBUG [__main__.<module>:138] Reading local rule code ../auth0-deploy/rules/SAML-test-mozilla-com-google.js
[13:42:40] DEBUG [__main__.<module>:169] Difference found in SAML-test-mozilla-com-google :
[13:42:40] DEBUG [__main__.<module>:186] Found 25 local rules
[13:42:40] DEBUG [__main__.<module>:194] Found 0 rules that not longer exist locally and will be deleted remotely
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule temporary-LDAP-re-reintegration (rul_AjXuFWzxKuxU4BVE) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule SAML-Convercent-Community (rul_wvarCznyIOa6GzNr) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule configuration-dumper (rul_3o2aRc4u6GdSTaI8) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule AWS-Federated-AMR (rul_7e5j3U2UknqbF5oj) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule SAML-Braintree-attribute (rul_pzGmkSvSqUkq1Z7P) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule force-ldap-logins-over-ldap (rul_y6xXV2d8w410CECP) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule SAML-configuration-mapping (rul_zsufGEmKzhxDI2LU) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule duosecurity (rul_T258JgivrEe3CA5Y) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule HRIS-is-staff (rul_1kV3c7rM5wFvBejL) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule activate-new-users-in-CIS (rul_SIn3HlLdD3CB250l) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule Everyone-is-in-the-everyone-group (rul_AJUv6InkjtFycigG) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule Global-Function-Declarations (rul_1vHjz6tOZ4n3t4ij) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule default-deny-for-maintenance (rul_xPZp6tWbEXhOUtjz) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule SAML-gcp-gsuite (rul_Ni1E5hJ8YLldt2ZX) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule security-block-ips (rul_K3dHq1La3jhjD9m7) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule CIS-Claims-fixups (rul_eAwDJ0Pk6HkYgKFT) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule AccessRules (rul_Y4xta4VzQpIz5pGN) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule SAML-Navex-partition-id (rul_U4D19JIT9vnwBZJY) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule temporary-hrdata (rul_4sCpIquDIjhViJCx) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule SAML-lgtm (rul_9nBLyVeKzG8JV88b) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule temporary-update-at-conformance (rul_9WQf1MI49RF0qvYq) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule restricted-users (rul_Q1sY1rtZWm2Twp8n) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule aai (rul_4rI7wUGgV3tje2w7) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule link-users-by-email-with-metadata (rul_C7qqHcHtKGLhS2J1) on Auth0
[13:42:40] DEBUG [__main__.<module>:227] [~] Dry Run : Action not taken : Updating rule SAML-test-mozilla-com-google (rul_d20dQK2mEMVOatGU) on Auth0

april and others added 30 commits March 3, 2020 13:37
@april
Update a bunch of rules now that they have tests
aee303a
@april
Add a bunch of tests for a few rules to start
c632d88
@april
Some code clean up for legibility
a3c97d6
@april
Add missing newlines at EOF
49fc2db
@april
Add protection against accidents in tests
b80b33a
@april
Significant rewrite of test structure
2170540
@april
Add restricted users rule and associated test
05a5d6c
@april
Update AWS-AMR test for non-whitelisted reliers
8fe7a02
@april
Update comment
f6d0444
@april
Put test for config settings at top
ffc0ef4
@april
Add TODO to handle configuration being unset
f6c5a84
@april
Add ability to spy on console output
12a4317
@april
Check to see if console error was present
efae54c
@april
Document the rule loader more, because it is complex and weird
fde7d90
@april
Fix insecure buffer allocation
05c0b50
@april
Fix errors and clean up CIS new user hook, add test for it
5ef4e8b
@april
Pin aws-sdk to 2.5.3, adjust rule loader to handle
42e81ad
@april
Update CIS New User Hook LDAP detection strategy
a416c6e
@april
Add configuration dumper rule along with tests
059a5d0
@april
Fix incorrect log statement
a5e4d70
@april
Add configuration dumper test
76e9132
@april
Merge branch 'master' into hooray-for-tests
5d210c3
@april
Merge pull request #315 from april/hooray-for-tests
b982705 
Clean up rules and then add tests for them
@dependabot
Bump acorn from 5.7.3 to 5.7.4 in /tests
eabdc0c 
Bumps [acorn](https://github.com/acornjs/acorn) from 5.7.3 to 5.7.4.
- [Release notes](https://github.com/acornjs/acorn/releases)
- [Commits](acornjs/acorn@5.7.3...5.7.4)

Signed-off-by: dependabot[bot] <[email protected]>
@april
Minor code tweaks to fix validation
3aa60ae
@april
Merge pull request #319 from april/minor-tweaks
787b1ae 
Minor code tweaks to fix validation
@gene1wood
Add clarifying comments
ee9ae3d
@gene1wood
Merge pull request #316 from mozilla-iam/dependabot/npm_and_yarn/test…
f0dc8cf 
…s/acorn-5.7.4

Bump acorn from 5.7.3 to 5.7.4 in /tests
@april
Merge pull request #320 from gene1wood/add_comment_documentation
688b358 
Add clarifying comments
@april
Add rule for Sage Intacct SAML integration. Fixes #321.
b572e37
april and others added 27 commits May 20, 2020 17:13
@april
Couple minor tweaks to logging.
3d72e9c
@gene1wood
Merge pull request #330 from april/hris-is-staff
8a72fde 
Couple minor tweaks
@gene1wood
Add Stripe subplat saml mapping support (#331)
0a763a4 
Add Stripe subplat saml mapping support

https://bugzilla.mozilla.org/show_bug.cgi?id=1637117
@april
Add direct creature of users in CIS from Auth0
2b4be68
@april
Add newline at EOF
2e6c8f1
@april
A bunch of fixes including:
4cbdf59 
* Documenting where privateKey comes from
* Switching to await in async functions
* Setting `login_method`, which was missed before
* Skipping null attributes
@april
Add code to set existsInCIS and remove min login check
4ba2350
@april
Fix issues with integers, first name, and the usernames hack
90a954c
@april
Merge pull request #334 from april/active-in-cis
b2c2dba 
Add direct creation of users in CIS from Auth0
@april
Add fix for prod firefox accounts
62118a7 
Signed-off-by: April King <[email protected]>
Signed-off-by: April King <[email protected]>
@april
Merge pull request #335 from april/active-in-cis
8659ce4 
Add fix for prod firefox accounts
@gene1wood
Add clarifying comment about group user logical operator
7b602d3
@gene1wood
Merge pull request #340 from mozilla-iam/gene1wood-patch-1
f3127bb 
Add clarifying comment about group user logical operator
@april
Update the CIS user creation login to look at linked accounts
2a9a208
@april
Slight cleanup of metadata handling code
41d1add
@april
Let metadata flow between rules for case 1
aec3a51
@april
Merge metadata instead of overwrite
64839da
@april
Add a separate auth0 timeout
0f28a54
@april
change init so auth0 doesn't complain
34e5fe5
@april
Fix missing parenthesis
31b8f40
@april
Remove errant connection method
c96396c
@gene1wood
Fix typo in webtask URL
e7595e6
@gene1wood
Merge pull request #346 from mozilla-iam/gene1wood-patch-1
b805a67 
Fix typo in webtask URL
@april
Remove primaryUserMetadata from case 1
ac322a0
@april
Merge pull request #345 from april/updated-cis-user-creation-login
20d55a4 
Update the CIS user creation login to look at linked accounts
@gene1wood
Add chat.mozilla.org, prod testrp and Udemy to restricted user rule
75b217c 
Also expand comments
@gene1wood
Merge pull request #348 from gene1wood/update_restricted_users_rule
435a111 
Add chat.mozilla.org, prod testrp and Udemy to restricted user rule
@gene1wood gene1wood requested a review from april November 11, 2020 21:34
@gene1wood gene1wood merged commit 7ee53ca into production Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@april april april approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gene1wood @april