From ff4e53ef362edff4314d353ba11858dda9535d2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lars=20K=C3=A5re=20Skj=C3=B8restad?= <10708951+larskaare@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:08:23 +0000 Subject: [PATCH] Update eqn adaptions --- README.md | 8 ++------ Support/md_template.md | 17 ----------------- Support/workshop_preparations.md | 4 ++-- admin/readme.md | 14 +++++++------- src/readme.md | 2 +- src/templates/client.env.template | 2 +- src/templates/episodes.env.template | 8 ++++---- src/templates/quote.env.template | 6 +++--- 8 files changed, 20 insertions(+), 41 deletions(-) delete mode 100644 Support/md_template.md diff --git a/README.md b/README.md index 3485621..e7428fc 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](/CONTRIBUTING.md) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md) -This is a **hands-on** AppSec fundamentals workshop where we explore protecting API's and Web apps. We look at authentication (authn), authorization (authz) and friends. +This is a **hands-on** AppSec fundamentals workshop where we explore protecting API's and Web apps. We look at authentication (authn), authorization (authz) and friends. This version of the workshop is the **Codespaces** edition. Using you browser we run all exercises in a _all inclusive_ virtual environment. In the workshop participant will get to know key technologies such as OAuth2, OpenID Connect (OIDC) and Microsoft Entra ID. Our journey will take us from the rfc specifications, to manual request, to coding, to using frameworks, to debugging and to testing. After the workshop participants should have a pretty good understanding of the mechanics behind the scenes as well as relevant security/privacy concerns. @@ -30,7 +30,7 @@ In the workshop participant will get to know key technologies such as OAuth2, Op * Exploring The **Implicit grant** for Native, Mobile, SPA * Exploring **PKCE** for Native, Mobile, SPA * Exploring Web **API's** protection -* Exploring Web **API chaining** scenarios +* Exploring Web **API chaining** scenarios (OBO) ## Exercise index @@ -62,7 +62,3 @@ To enable a good flow and outcome of the workshop it is vital to come prepared. ## Non Equinor adaptions The workshop makes a few assumptions about the availability of various infrastructure components we use in Equinor. These are marked with ⚡️ and may need to be adopted to your context. - -### Section 1 - -### Section 2 \ No newline at end of file diff --git a/Support/md_template.md b/Support/md_template.md deleted file mode 100644 index eda0e01..0000000 --- a/Support/md_template.md +++ /dev/null @@ -1,17 +0,0 @@ -# Title - -Description of purpose - -Steps: - - -## --Now You-- - -* . - -## --Discuss security issues and good practices-- - -* .. - -## Prologue - diff --git a/Support/workshop_preparations.md b/Support/workshop_preparations.md index a5f2c17..662baaa 100644 --- a/Support/workshop_preparations.md +++ b/Support/workshop_preparations.md @@ -11,7 +11,7 @@ Prior to joining the workshop the preconditions below should be met. This means ## Important pre-requisites -- You need the [Azure Application Developer](https://docs.omnia.equinor.com/governance/iam/App-General-Info/) role (Apply using Acccess@IT) ⚡️ -- You need access to the [Equinor](https://github.com/equinor) organization on [github.com](https://github.com)
Verify access by opening the SSO end-point [https://github.com/orgs/equinor/sso](https://github.com/orgs/equinor/sso) ⚡️ +- ⚡️ You need the [Azure Application Developer](https://docs.omnia.equinor.com/governance/iam/App-General-Info/) role (Apply using Acccess@IT) +- ⚡️ You need access to the [Equinor](https://github.com/equinor) organization on [github.com](https://github.com)
Verify access by opening the SSO end-point [https://github.com/orgs/equinor/sso](https://github.com/orgs/equinor/sso) diff --git a/admin/readme.md b/admin/readme.md index a936adf..d935382 100644 --- a/admin/readme.md +++ b/admin/readme.md @@ -10,10 +10,10 @@ Tasks to do before/after workshop. Current set-up is assuming a virtual workshop * Coordinate with instructors/assistants * Reserve slots in calendar * If needed, reserve physical meeting rooms - * Create a sign-up document, open the sign-up document for **write** for everyone with and Eqn Account + * ⚡️ Create a sign-up document, open the sign-up document for **write** for everyone with and Eqn Account * Add reminders in instructors calendars on relevant check-points (2 week, 1 week, 1 week after etc...) * 2-3 weeks prior - * Announce / Invite on Slack + * ⚡️ Announce / Invite on Slack * Title * Abstract * Teams are encouraged to send a group @@ -30,17 +30,17 @@ Tasks to do before/after workshop. Current set-up is assuming a virtual workshop * Collect feedback as part of last day * 1 week after * Evaluate, update, repeat - * Remove permission from sign-up document. Should only be available to the AppSec team after the WS for statistics + * ⚡️ Remove permission from sign-up document. Should only be available to the AppSec team after the WS for statistics * Review and summarize info gathered in workshop retrospective * Do a workshop retrospective amongst instructors * Decide on changes, create issues/tasks on board for updates * Delete groups output of exercises from course Slack channel? * 2 weeks after - * Run scripts to identify EQ AAD Objects and Course Repos + * ⚡️ Run scripts to identify EQ AAD Objects and Course Repos * Send reminder about cleaning up - * Remind about #appsec + * ⚡️ Remind about #appsec -### Invitation proposal +### Invitation proposal ⚡️ ```text @@ -76,7 +76,7 @@ Instructor A, Instructor B ``` -### Welcome email +### Welcome email ⚡️ ```text diff --git a/src/readme.md b/src/readme.md index a684d15..239be31 100644 --- a/src/readme.md +++ b/src/readme.md @@ -12,7 +12,7 @@ This files contains the common configuration for all scripts. ### `aa-get-redirect-uri.sh` -The script will return the dynamic redirect uri for the Codespace. This will be used bu the .env file for the client as well as in the app registration for the client. +The script will return the dynamic redirect uri for the Codespace. This will be used by the .env file for the client as well as in the app registration for the client. ### `aa-save-env-files-to-github-user-secret.sh` diff --git a/src/templates/client.env.template b/src/templates/client.env.template index f7b7573..c276e5d 100644 --- a/src/templates/client.env.template +++ b/src/templates/client.env.template @@ -5,7 +5,7 @@ export TOKEN_CACHE_FILE="${HOME}/.tcache/cache.json" export TENANT_ID='' export CLIENT_ID='' -export CLIENT_SECRET="" +export CLIENT_SECRET='' export REDIRECT_URI=$(aa-get-redirect-uri.sh) export EPISODES_API_URI="" diff --git a/src/templates/episodes.env.template b/src/templates/episodes.env.template index 114010a..0d08c43 100644 --- a/src/templates/episodes.env.template +++ b/src/templates/episodes.env.template @@ -1,11 +1,11 @@ export NODE_ENV=development -export TENANT_ID="" +export TENANT_ID='' export PORT=3100 export HOST=127.0.0.1 -export CLIENT_ID="" -export CLIENT_SECRET="" +export CLIENT_ID='' +export CLIENT_SECRET='' -export EPISODES_API_URI="" +export EPISODES_API_URI='' export QUOTES_API_URL="http://127.0.0.1:3200" export QUOTES_API_URI="" diff --git a/src/templates/quote.env.template b/src/templates/quote.env.template index 8811639..b72cef9 100644 --- a/src/templates/quote.env.template +++ b/src/templates/quote.env.template @@ -1,6 +1,6 @@ export NODE_ENV=development -export TENANT_ID="" +export TENANT_ID='' export PORT=3200 export HOST=127.0.0.1 -export EPISODES_API_URI="" -export QUOTES_API_URI="" \ No newline at end of file +export EPISODES_API_URI='' +export QUOTES_API_URI='' \ No newline at end of file