WAF policy - block and allowlist regulation - web-application-firewall

I want to block certain countries IP addresses in my WAF.
Say I have a legitimate user trying to access the website from their mobile while they are on holiday in one of the blocked countries. Is it possible to allow them access by authenticating the user fist?
I've been having issues finding any documentation to confirm if this is possible and how it would be done.

Related

Google Assistant Smart Home : agentUserId definition may be incorrect

As per Google Assistant documentation for Smart Home, the agentUserId used in action.devices.QUERY is defined to 'Reflects the unique (and immutable) user ID on the agent's platform. The string is opaque to Google, so if there's an immutable form vs a mutable form on the agent side, use the immutable form (e.g. an account number rather than email)'
However there can be cases where the same device (with same agent user id) is attached to multiple Google Assistant accounts and in such cases a DISCONNECT request may result is ceasing report state for all accounts. The solution will be to add some unique ID corresponding to the Google Assistant account, however such information is not available in any request.
Has anyone seen similar issue and is my understanding incorrect?
The agentUserId is meant to be the user account on the smart home platform. SHP user '1234' may have a vacuum and two lights, but could be linked to multiple Google accounts.
During the account linking process, you would be expected to give a refresh and access tokens to allow for Google to have authorized control over these devices. If you assign unique access tokens for each Google account that signs in, you'd be able to determine which Google account the request is coming from.
At that point, once the user disconnects, you can use the access token in the request header to associate that with a specific Google account and only disable reporting for that account while not affecting other accounts.
So, yes the solution is to have a unique ID connecting to the account. While this is not passed in the agent ID, there is already a mechanism to make this association through the authorization system.
Alternatively, you could append a key in the agentUserId, ie. '1234-user#gmail.com'. However, this may have unintended impacts in the Home Graph. In a multi-user home, you may end up seeing the devices duplicated because Google doesn't have the right information to deduplicate.

Bypass reCAPTCHA from a specified origin

We have a page on our site that uses Google's reCAPTCHA before allowing the user to download a file.
It works great and we totally stopped all the evil bots from spamming our servers.
Now we want to allow a specific entity (user, domain, whatever) to be able to automatically download files without solving the challenge. Or maybe solving it once per session (which will be longer than 2 minutes) and not once per file.
Is there some way we can issue them a multi-use token or have them get a token from Google that will allow them (temporary?) unfettered access to our file downloads? Can we whitelist their domain in the Google admin settings?
Or is this something I need to build myself?
EDIT: It turns I didn't get all the requirements for this assignment. Whitelisting will not satisfy the requirements since it is apparently multiple entities, and that will indubitably change in the future.
reCAPTCHA does not provide specific whitelisting for users or domains.
Instead, you should be looking at making this dynamic on your side. For example, disable reCAPTCHA for signed-in users or generate a token on your server with an expiry time, set that as a cookie on the client, and disable reCAPTCHA for valid tokens.

Errors accessing Shared/Room Calendars through Microsoft Graph API

I'm making an application that requires access to the shared/room-resource calendars in an Office 365 instance, using non-admin accounts. I've registered an app (in the Microsoft Application Registration Portal) using the V2 endpoint and Auth Code Grant. This successfully allows me to log in, and gives me a functional token with the Calendars.ReadWrite.Shared scope. With this token, I can retrieve my own calendars, and calendars that have been explicitly shared with me (and therefore added to my list of calendars). All of this is doable with just the normal Calendars.ReadWrite scope.
However, I get errors when requesting access to any other shared calendars, like the room calendars. Here's an example. If I make a GET call to https://graph.microsoft.com/beta/users/my-own-email#business.com/calendars it successfully returns a list of my calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/calendars I get a 404 (Not Found) Error. The same error occurs for any other user, not just meeting rooms. Note that I can see these calendars when I'm logged into Office 365 online with the same account.
A different error occurs if I ask for events not calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/events, I get a 500 (Internal Server) Error.
I've checked all the other threads I can find on the issue, and this one from November How to access shared calendars from Office REST API? says there's some kind of blocking issue on Microsoft's end. It's using the Office REST API rather than Graph, but on the back-end the APIs call the same stuff. Is this issue still about? Alternatively, am I missing some further permissions? I tried adding quite a few different permissions on top of Calendars.ReadWrite.Shared, but none of them fixed it. Is there a correct combination?
Thanks so much for any help, and let me know if any other info would be useful for diagnosis.
So if anyone else happens to be interested in this, I figured out a way to access room resource calendars without using the Calendars.ReadWrite.Shared permission. This allows you to use just the Calendars.ReadWrite permission to access the room resources, by moving them into the list of calendars of the email you're authenticating with. However, it will only work for specific accounts that you share the calendars with, so won't be usable in apps that have to work for any account. This is good enough for my use-case, but may not be for yours.
First, find or make an account that is a delegate to, and has full access to, the room resource calendar you want to use. On that account click 'Open another mailbox' in the dropdown list under your profile image.
Open another mailbox location
In the pop-up that follows, put in the email address of the room resource calendar that you want to use.
Then, on the new page that opens (which should be the Office account of the room resource calendar):
Navigate to the calendar page
Click 'Share'
Share the default calendar with the account you plan to authenticate with.
Then log into that 'authentication' account, check its email for the notification of the shared calendar, and click 'accept'. What this will do is move the calendar into the authenticated account's list of calendars, meaning you can access it with just a call to the https://graph.microsoft.com/v1.0/me/calendars endpoint. You'll have to repeat it for every calendar you want to be able to access, sadly.

Get list of domains for an Organization using Google Apps Admin SDK?

An organization in Google Apps can have multiple domains.
API requests to the Admin SDK require the domain name as a parameter.
Ex:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/defaultLanguage
Is there a way to programatically list all domains for an organization? If, for example, you wanted to change the lanaguage for all domains in an organization, there doesn't seem to be any way to list/iterate through the domains.
You cannot set separate policies or Admin Settings API per a domain when the domains are in the same Google Apps instance. See the Google Limitations for multiple domains document.
To answer your first question, the Admin SDK does not have a method that allows the retrieval of all domains. However, you can retrieve all users in the Google Apps instance and use that to determine what domains users have been created in.
In the new version of Directory API, Google added a functionality called Domains that let you get the domain list of a customer.
Check the below link
https://developers.google.com/admin-sdk/directory/v1/reference/domains

Magento incoming mail (replies) going to wrong email SMTP issue?

I have a client that keeps getting the customer service reply to emails in his mail box when they should be going to the customer service email. I've searched everywhere for record of his email and it is nowhere. I am guessing now that because the customer service emails are of a different domain the replies are getting marked as spam and being sent to the server admin account instead. I have downloaded this extension: http://www.magentocommerce.com/magento-connect/ASchroder/extension/1865/aschroder.com-smtp-pro. Would a different domain email be SMTP? Advice appreciated.
We had this problem with a few of our recipients as well.
Mainly Comcast users and Century Link to name a few. What the problem is, is that you are sending from (for example) www-data#thisdomain (this will be the machines domain name ie. www-data#WebServer01) -- in the header, regardless of who is in the FROM field. Your actual domain in the FROM field is customer_service#yourstoredomain.com. You will need to do one of two things.
If you host the Magento install on your own operating system and you have control of it, you'll need to change the machines hostname to match that of your web domain name. ie yourwebsite.com.
If that isn't an option, then you will need to use a Magento plugin like the one you mentioned, and have it log in via SMTP to your email service provider (We use Office365) and send the email from a "real" email address that you have created.
The reason this fails is due to the SPF record on the providers (ie Comcast CenturyLink) not allowing emails from a domain that is other than that which is specified in the header. This is usually to prevent spam etc to their customers. So companies like these simply block or, in some cases, redirect that email back to the user at the originating FROM domain.
If at all possible, the easiest route is going to be to try to change the domain in the header of the email. Hopefully you manage your own operating system so you have control over this. IF not, try to see if your hosting provider will provide you access to a "jailed" area so that you can change said settings. The SMTP route is NO FUN ...

Resources