Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding mr337 CAC #3509

Merged
merged 6 commits into from Feb 12, 2020
Merged

Adding mr337 CAC #3509

merged 6 commits into from Feb 12, 2020

Conversation

@mr337
Copy link
Contributor

mr337 commented Feb 11, 2020

Description

Adding personal CAC for authentication.

Code Review Verification Steps

  • Request review from a member of a different team.
  • Have the Jira acceptance criteria been met for this change?

References

Copy link
Contributor

chrisgilmerproj left a comment

You need to upload the version of your migration which contains your personal info in the Subject to staging/experimental.

@mr337 mr337 requested a review from chrisgilmerproj Feb 11, 2020
staging 1421
prod 150
```

This comment has been minimized.

Copy link
@chrisgilmerproj

chrisgilmerproj Feb 11, 2020

Contributor

Let's add in a thing here about using download-secure-migration 20200211150405_mr337_cac.up.sql and ensuring that the information looks correct. Specifically the Subject needs to include the full user name and EDIPI instead of github user name.

This comment has been minimized.

Copy link
@chrisgilmerproj

chrisgilmerproj Feb 11, 2020

Contributor

Here's me running it:

download-secure-migration 20200211150405_mr337_cac.up.sql
Enter token for arn:aws:iam::923914045601:mfa/cgilmer: 010221
Downloading from: experimental
...executing: aws s3 cp s3://transcom-ppp-app-experimental-us-west-2/secure-migrations/20200211150405_mr337_cac.up.sql ./tmp/secure_migrations/experimental/20200211150405_mr337_cac.up.sql
Downloading from: staging
...executing: aws s3 cp s3://transcom-ppp-app-staging-us-west-2/secure-migrations/20200211150405_mr337_cac.up.sql ./tmp/secure_migrations/staging/20200211150405_mr337_cac.up.sql
Downloading from: prod
...executing: aws s3 cp s3://transcom-ppp-app-prod-us-west-2/secure-migrations/20200211150405_mr337_cac.up.sql ./tmp/secure_migrations/prod/20200211150405_mr337_cac.up.sql

Files have been downloaded to these locations:

./tmp/secure_migrations/prod/20200211150405_mr337_cac.up.sql
./tmp/secure_migrations/experimental/20200211150405_mr337_cac.up.sql
./tmp/secure_migrations/staging/20200211150405_mr337_cac.up.sql

Please remember to 'rm -rf ./tmp/secure_migrations' when you are finished working

This comment has been minimized.

Copy link
@mr337

mr337 Feb 11, 2020

Author Contributor

Can you expand on the Subject part? I modified the CN to match my GH username and the migration name. Also what is an EDIPI?

This comment has been minimized.

Copy link
@chrisgilmerproj

chrisgilmerproj Feb 11, 2020

Contributor

Yeah, we need an identifier for whoever has a sha256 of their cert in the DB. The obvious choice is the Subject on the cert. And we record it as subject in the client_certs table. The format of that is:

'CN=LAST.FIRST.MI.EDIPI,OU=DoD+OU=PKI+OU=CONTRACTOR,O=U.S. Government,C=US',

The EDIPI is your DoD identifier and listed on the back of your CAC and on your cert. For the version checked into the DB we want CN to be equivalent to the user's github username. But in AWS S3 we want the CN to include the name and EDIPI exactly as its listed on the cert.

This comment has been minimized.

Copy link
@mr337

mr337 Feb 11, 2020

Author Contributor

ty, double check 28ec56f to make sure I'm digesting everything correctly.

Copy link
Contributor

chrisgilmerproj left a comment

Just a few doc changes and then I'm ready to approve! Looks good.

### Create PR for Migration

This comment has been minimized.

Copy link
@chrisgilmerproj

chrisgilmerproj Feb 11, 2020

Contributor

This could be combined with the section below titled "For local testing only". That's where I detailed how to copy the cert from the tmp directory to the local_migrations directory. Otherwise this looks good.

Copy link
Contributor

chrisgilmerproj left a comment

🚀 - Thanks for the doc changes, I appreciate it.

@mr337 mr337 force-pushed the lh_cac_upload branch from dda906f to d8d2fc5 Feb 12, 2020
@mr337

This comment has been minimized.

Copy link
Contributor Author

mr337 commented Feb 12, 2020

New rebase for the update to the migrations path.

@mr337 mr337 merged commit d3630bd into master Feb 12, 2020
15 checks passed
15 checks passed
ci/circleci: acceptance_tests_experimental Your tests passed on CircleCI!
Details
ci/circleci: acceptance_tests_local Your tests passed on CircleCI!
Details
ci/circleci: acceptance_tests_staging Your tests passed on CircleCI!
Details
ci/circleci: build_app Your tests passed on CircleCI!
Details
ci/circleci: build_migrations Your tests passed on CircleCI!
Details
ci/circleci: build_storybook_app Your tests passed on CircleCI!
Details
ci/circleci: build_tasks Your tests passed on CircleCI!
Details
ci/circleci: build_tools Your tests passed on CircleCI!
Details
ci/circleci: check_generated_code Your tests passed on CircleCI!
Details
ci/circleci: client_test Your tests passed on CircleCI!
Details
ci/circleci: integration_tests Your tests passed on CircleCI!
Details
ci/circleci: pre_deps_golang Your tests passed on CircleCI!
Details
ci/circleci: pre_deps_yarn Your tests passed on CircleCI!
Details
ci/circleci: pre_test Your tests passed on CircleCI!
Details
ci/circleci: server_test Your tests passed on CircleCI!
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.