razorpay / concierge Goto Github PK

Since we are migrating to google auth for login (#3), we stripped out Duo.

We need a way for the end user to configure which one gets picked up.

Would require debug messages in the case of an IAM exception

Dependabot couldn't find a composer.json for this project.

Dependabot requires a composer.json to evaluate your project's current PHP dependencies. It had expected to find one at the path: /composer.json.

If this isn't a PHP project, or if it is a library, you may wish to disable updates for it from within Dependabot.

You can mention @dependabot in the comments below to contact the Dependabot team.

currently hosted in on wercker classic, we need to migrate to docker based pipelines as this mode is no longer supported.

This came up during compliance, we need to set the max lease time to 6 hours.

The current code is only compatible with VPC Security Groups and not EC2 Security Groups. Because of this, I am getting the below error upon logging in:

ErrorException
Undefined index: VpcId (View: /home/bitnami/concierge/app/views/getGroups.blade.php)

Should be much easier to do it with CLI instead of web version.

Recently launched for AWS: https://aws.amazon.com/blogs/aws/new-descriptions-for-security-group-rules/

The rule description for us could be: Lease created by {{email}} at {{time}} for {{duration}}

We are currently using Duo-Security for second factor and are planning to move to Google Apps Auth.

Configuration would be the domain name and google app console credentials.

Just the second factor would change from duo -> google.

If possible, we should still allow duo as a backup.

Give out the public and private IP of each instance when you are looking at a security group.

We are not processing the CIDR, we are just checking for the exact match in the whitelisting IPs so, if we pass CIDR with /29, /16. The IPs under these CIDRs will still be added in the ingress with ip.x.x.x/32.

Right now, concierge supports getting a lease on a security group for AWS. As a future extension, this is a proposal to add Traefik support for services running within a kubernetes cluster.

Changes required:

• Support Kubernetes Authentication on the backend (/manage/kubernetes) to list all ingresses with label concierge=true
• Support patching an ingress to add/edit the traefik.ingress.kubernetes.io/whitelist-source-range annotation. Only the new IP should get added, or an old IP from an expiring lease should get removed.
• Lock on an ingress resource while making changes to prevent conflicting updates.

The auth should allow concierge to:

1. List all ingresses in the namespaces it controls
2. Ability to patch ingresses.

Problem statement

Concierge grants leases to end users by adding their apparent public IP to the inbound allowlist of relevant security group.
This approach assumes client traffic will always originate from a single public IP, which can then be easily filtered.
• I use Airtel 4G dongle, it provides me with a public IPv6 address. 6to4 proxies that sit between AWS & Airtel networks almost always use an egress pool of IPv4 IPs. i.e. my apparent IPv4 keeps on changing.
• I took a direct fiber-to-home broadband connection, my ISP owns a public IPv4 /24 range and use mutiple IPs for egress. Problem remains the same.

Solution

Add JS to concierge that makes periodic calls to a beacon.gif ep., for all the auth'd users.
Once a lease is taken for a security group, concierge opens it up for a single IPv4 address.
Subsequent beacons will help concierge magically add never-seen-before IPs to all the existing leases for that user.
As long as concierge user keeps it open in a tab in their browser.