Github Joiners Process PoC

[AntonyBishop]

User Need

PoC to trail Github joiners

Jamboard for reference - https://jamboard.google.com/d/1gCWabJAF3iZTkmOdgt6OWbYZonzXDBw5FRQNKfOggOY/edit?usp=sharing

Value

To get feedback to help next design phase. To better understand any constraints/challenges around scaling.

Functional Requirements:

In PoC we should consider: a) What user data to capture b) how to structure data c) How to manage state d) Solution must be able to scale

Non-Functional Requirements:

1. Process should be easy for users to access. We should aim for process to be as easy as current manual process.
2. Repository must be Internal or Private due to nature of data used in PoC
3. PoC should cover Ops and and CP Team users
4. PoC excludes collaborators

Acceptance Criteria:

1. PoC created
2. We can demo for users to gain feedback

Notes:

[NickWalt01]

Created a Python Flask webpage hosted on the CP (env folder) that can allow pre-approved emails to send out invites to the GitHub Organisation.

See repo and releases for more info.

Requires the SLACK and OPS ENG BOT Token, these are stored in secret manager on the CP AWS account.

A Slack message is raised when a non-approved email address user requests access to the Organisation or wants to rejoin the Organisation.

Website link.

[NickWalt01]

Security improvements are in development for this ticket.

[NickWalt01]

Rate limiting applied to the application. See PR.

[NickWalt01]

Get removed users from audit log. See PR.

[NickWalt01]

Check audit log when user rejoins Org. See PR.

[NickWalt01]

• Check the number of Org licences before sending an invite. If the number of available licences is less than amount Y do not send any invites.
• Check the number of Org pending invites before sending an invite. If the number of pending invites is more than amount Y do not send more invites.

See PR

[NickWalt01]

Add recaptcha to Form. See PR.

[NickWalt01]

Meeting planned with AP team on how they use Azure AD with Auth0 on their service, the goal is to replicate this feature in our Auth0 account so that we can make use of the non digital justice email domains.

[NickWalt01]

The Data upload team use AWS SES with Auth0 for passwordless / magic link emails to authenticate a user has said email. This is another option to consider in hardening the form against abuse.

[NickWalt01]

There is a VPN / IP address option on CP (where the application is hosted.) https://user-guide.cloud-platform.service.justice.gov.uk/documentation/networking/ip-filtering.html#inbound-ip-filtering. Not sure what this offers yet.

[NickWalt01]

We had a meeting with the AP team, we now have a connection to Azure AD in Auth0 settings

[NickWalt01]

Connor and Tamsin have access to the Azure AD connection. Other team members will need to be added manually to the connection to get access.

The Azure AD connection covers the entire MoJ email address db, when used with Auth0, the email address of the user will need to be filtered so that the application only allows the expected email addresses ie @justice.gov.uk, @digital.justice.gov.uk

[NickWalt01]

Connor and Tamsin have access to the Azure AD connection. Other team members will need to be added manually to the connection to get access.

The Azure AD connection covers the entire MoJ email address db, when used with Auth0, the email address of the user will need to be filtered so that the application only allows the expected email addresses ie @justice.gov.uk, @digital.justice.gov.uk

[NickWalt01]

Meeting with Auth0 to fix the AzureAD enterprise connection, enabled a button in second tab of the enterprise connection, tested app could open the Microsoft login page when run application locally.

Finished unit tests.

[NickWalt01]

Additional info about the application: https://docs.google.com/document/d/1MbafY04NI3UcoduOruP6KKgurnAwfrRxYQ0onICq2Nc

[NickWalt01]

Remove Slack, use Auth0, use different configurations, redesign user form, remove non needed functions + files.

See PR.

[connormaglynn]

Closing and continuing the work under https://github.com/ministryofjustice/operations-engineering/issues/3890