From 09dd519678969d83ab4621bb81f57911833c0e1e Mon Sep 17 00:00:00 2001 From: John Gasper Date: Tue, 18 Sep 2018 16:17:30 -0700 Subject: [PATCH] with one exception 401.1 should be complete. --- base/Dockerfile | 2 +- .../conf/grouper-loader.properties | 2 +- base/container_files/conf/subject.properties | 6 +-- ex401/class-files/CisoQuestionalUsers.txt | 15 +++++++ .../container_files/grouper-loader.properties | 2 +- .../container_files/seed-data/bootstrap.gsh | 2 +- .../container_files/subject.properties | 8 ++-- .../container_files/seed-data/bootstrap.gsh | 10 ++--- .../container_files/seed-data/bootstrap.gsh | 1 - .../container_files/grouper-loader.properties | 6 +-- .../container_files/seed-data/bootstrap.gsh | 2 +- .../container_files/seed-data/bootstrap.gsh | 39 ++++++++++++++----- .../container_files/seed-data/bootstrap.gsh | 1 - 13 files changed, 64 insertions(+), 32 deletions(-) create mode 100644 ex401/class-files/CisoQuestionalUsers.txt diff --git a/base/Dockerfile b/base/Dockerfile index ec5274b..0729886 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -1,6 +1,6 @@ FROM unicon/shibboleth-idp:3.3.3 as idp -FROM tier/grouper:2.4.0-a0-u0-w0-p0-test +FROM tier/grouper:2.4.0-a2-u0-w0-p0-test LABEL author="tier-packaging@internet2.edu " \ Vendor="TIER" \ diff --git a/base/container_files/conf/grouper-loader.properties b/base/container_files/conf/grouper-loader.properties index 7924419..ae41ed1 100644 --- a/base/container_files/conf/grouper-loader.properties +++ b/base/container_files/conf/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu +ldap.demo.url = ldap://localhost:389/ #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu diff --git a/base/container_files/conf/subject.properties b/base/container_files/conf/subject.properties index 8b2096e..2b7037d 100644 --- a/base/container_files/conf/subject.properties +++ b/base/container_files/conf/subject.properties @@ -55,7 +55,7 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber # Each subject has one and only on ID. Returns one result when searching for one ID. subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people +subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu #searchSubjectByIdentifier: find a subject by identifier. Identifier is anything that uniquely # identifies the user, e.g. jsmith or jsmith@institution.edu. @@ -63,12 +63,12 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people # even across sources. Returns one result when searching for one identifier. subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu # search: find subjects by free form search. Returns multiple results. subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person)) subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.search.param.base.value = ou=people +subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu subjectApi.source.ldap.internalAttributes = searchAttribute0 diff --git a/ex401/class-files/CisoQuestionalUsers.txt b/ex401/class-files/CisoQuestionalUsers.txt new file mode 100644 index 0000000..17027ce --- /dev/null +++ b/ex401/class-files/CisoQuestionalUsers.txt @@ -0,0 +1,15 @@ +ahenderson36 +cpeterson37 +jclark39 +kbrown62 +tpeterson63 +pjohnson64 +aroberts95 +sdavis107 +mhenderson109 +jvales117 +sgrady139 +mprice142 +mwilliams144 +lpeterson153 +mvales154 diff --git a/ex401/ex401.1.1/container_files/grouper-loader.properties b/ex401/ex401.1.1/container_files/grouper-loader.properties index 7924419..ae41ed1 100644 --- a/ex401/ex401.1.1/container_files/grouper-loader.properties +++ b/ex401/ex401.1.1/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu +ldap.demo.url = ldap://localhost:389/ #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu diff --git a/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh index aa778b7..064c258 100644 --- a/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh @@ -4,7 +4,7 @@ addRootStem("ref", "ref"); addRootStem("bundle", "bundle"); addRootStem("app", "app"); addRootStem("org", "org"); -testStem = addRootStem("test", "test"); +addRootStem("test", "test"); addGroup("etc","rolesLoader", "Roles Loader"); groupAddType("etc:rolesLoader", "grouperLoader"); diff --git a/ex401/ex401.1.1/container_files/subject.properties b/ex401/ex401.1.1/container_files/subject.properties index 5edd00d..b55a10a 100644 --- a/ex401/ex401.1.1/container_files/subject.properties +++ b/ex401/ex401.1.1/container_files/subject.properties @@ -17,7 +17,7 @@ subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = subjectApi.source.ldap.param.sortAttribute0.value = cn subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")} -subjectApi.source.ldap.param.subjectVirtualAttribute_1_displayName.value = ${subject.getAttributeValueOrCommaSeparated('cn') + ' (' + subject.getAttributeValueOrCommaSeparated('title') + ')'} +subjectApi.source.ldap.param.subjectVirtualAttribute_1_displayName.value = ${subject.getAttributeValueOrCommaSeparated('cn') + ' (' + subject.getAttributeValueOrCommaSeparated('uid') + ', ' + subject.getAttributeValueOrCommaSeparated('title') + ')'} # STATUS SECTION for searches to filter out inactives and allow # the user to filter by status with e.g. status=all @@ -56,7 +56,7 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber # Each subject has one and only on ID. Returns one result when searching for one ID. subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people +subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu #searchSubjectByIdentifier: find a subject by identifier. Identifier is anything that uniquely # identifies the user, e.g. jsmith or jsmith@institution.edu. @@ -64,13 +64,13 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people # even across sources. Returns one result when searching for one identifier. subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu # search: find subjects by free form search. Returns multiple results. subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person)) subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.search.param.base.value = ou=people +subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu subjectApi.source.ldap.attributes = givenName, sn, cn, uid, mail, employeeNumber, title subjectApi.source.ldap.internalAttributes = searchAttribute0 diff --git a/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh index 0497f68..b6bed23 100644 --- a/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh @@ -3,7 +3,7 @@ gs = GrouperSession.startRootSession(); addStem("test", "vpn", "vpn"); //Create a loader job to pull in the VPN users assigned in the directory. -group = new GroupSave(gs).assignName("test:vpn:vpn_access").assignCreateParentStemsIfNotExist(true).save(); +group = new GroupSave(gs).assignName("test:vpn:vpn_legacy").assignCreateParentStemsIfNotExist(true).save(); group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign(); attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?"); @@ -22,13 +22,13 @@ addGroup("ref", "student", "student"); //Create the groups that do the grouper math to analyze the tables. addGroup("test:vpn", "vpn_faculty", "vpn_faculty"); -addComposite("test:vpn:vpn_faculty", CompositeType.INTERSECTION, "test:vpn:vpn_access", "ref:faculty"); +addComposite("test:vpn:vpn_faculty", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:faculty"); addGroup("test:vpn", "vpn_employees", "vpn_employees"); -addComposite("test:vpn:vpn_employees", CompositeType.INTERSECTION, "test:vpn:vpn_access", "ref:staff"); +addComposite("test:vpn:vpn_employees", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:staff"); addGroup("test:vpn", "vpn_students", "vpn_students"); -addComposite("test:vpn:vpn_students", CompositeType.INTERSECTION, "test:vpn:vpn_access", "ref:student"); +addComposite("test:vpn:vpn_students", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:student"); addGroup("test:vpn", "vpn_facstaffstudent", "vpn_facstaffstudent"); addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_faculty"); @@ -36,4 +36,4 @@ addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_employees"); addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_students"); addGroup("test:vpn", "other_cohorts", "other_cohorts"); -addComposite("test:vpn:other_cohorts", CompositeType.COMPLEMENT, "test:vpn:vpn_access", "test:vpn:vpn_facstaffstudent"); +addComposite("test:vpn:other_cohorts", CompositeType.COMPLEMENT, "test:vpn:vpn_legacy", "test:vpn:vpn_facstaffstudent"); diff --git a/ex401/ex401.1.3/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.3/container_files/seed-data/bootstrap.gsh index dac4a09..8324428 100644 --- a/ex401/ex401.1.3/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.3/container_files/seed-data/bootstrap.gsh @@ -8,5 +8,4 @@ addGroup("app:vpn", "vpn_authorized", "vpn_authorized"); addMember("app:vpn:vpn_authorized", "ref:faculty"); addMember("app:vpn:vpn_authorized", "ref:staff"); -addMember("app:vpn:vpn_authorized", "ref:student"); addMember("app:vpn:vpn_authorized", "app:vpn:ref:vpn_adhoc"); diff --git a/ex401/ex401.1.4/container_files/grouper-loader.properties b/ex401/ex401.1.4/container_files/grouper-loader.properties index 9539771..fb60438 100644 --- a/ex401/ex401.1.4/container_files/grouper-loader.properties +++ b/ex401/ex401.1.4/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu +ldap.demo.url = ldap://localhost:389/ #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu @@ -79,11 +79,11 @@ changeLog.consumer.pspng_groupOfNames.ldapPoolName = demo changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false changeLog.consumer.pspng_groupOfNames.memberAttributeName = member changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()} -changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups +changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name})) changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames -changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people +changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfNames.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true diff --git a/ex401/ex401.1.4/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.4/container_files/seed-data/bootstrap.gsh index 9522c04..2733435 100644 --- a/ex401/ex401.1.4/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.4/container_files/seed-data/bootstrap.gsh @@ -1,6 +1,6 @@ gs = GrouperSession.startRootSession(); -//Assign the PSPNG attribute for the standard groups +//Assign the PSPNG attribute for the standard groups (needs to match 401.1.5's reset) group = GroupFinder.findByName(gs, "app:vpn:vpn_authorized"); # Auto create the PSPNG attributes diff --git a/ex401/ex401.1.5/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.5/container_files/seed-data/bootstrap.gsh index d02ed0d..1666acf 100644 --- a/ex401/ex401.1.5/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.5/container_files/seed-data/bootstrap.gsh @@ -3,29 +3,48 @@ gs = GrouperSession.startRootSession(); addStem("ref", "iam", "iam"); addGroup("ref:iam", "gobal_deny", "gobal_deny"); -addGroup("app:vpn", "vpn_permit", "vpn_permit"); +addGroup("app:vpn", "vpn_allow", "vpn_allow"); addGroup("app:vpn", "vpn_deny", "vpn_deny"); addMember("app:vpn:vpn_deny", "ref:iam:gobal_deny"); group=addGroup("app:vpn:ref", "vpn_ajohnson409", "vpn_ajohnson409"); group.setDescription("special project managed by ajohnson409"); group.store(); -grantPriv("app:vpn:ref:vpn_ajohnson409", "ajohnson409", AccessPrivilege.ADMIN); + +addStem("app:vpn", "etc", "etc"); +addGroup("app:vpn:etc", "vpn_ajohnson409_mgr", "vpn_ajohnson409_mgr"); +addMember("app:vpn:etc:vpn_ajohnson409_mgr", "ajohnson409") +grantPriv("app:vpn:ref:vpn_ajohnson409", "app:vpn:etc:vpn_ajohnson409_mgr", AccessPrivilege.ADMIN); group=addGroup("app:vpn:ref", "vpn_consultants", "vpn_consultants"); group.setDescription("Consultants, must be approved by VP and have expiration date set"); group.store(); +//Refactoring group membership delGroup("app:vpn:vpn_authorized"); addGroup("app:vpn", "vpn_authorized", "vpn_authorized"); -addComposite("app:vpn:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:vpn_permit", "app:vpn:vpn_deny"); - -addMember("app:vpn:vpn_permit", "ref:faculty"); -addMember("app:vpn:vpn_permit", "ref:staff"); -addMember("app:vpn:vpn_permit", "ref:student"); -addMember("app:vpn:vpn_permit", "app:vpn:ref:vpn_adhoc"); -addMember("app:vpn:vpn_permit", "app:vpn:ref:vpn_ajohnson409"); -addMember("app:vpn:vpn_permit", "app:vpn:ref:vpn_consultants"); +addComposite("app:vpn:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:vpn_allow", "app:vpn:vpn_deny"); + +//Assign the PSPNG attribute for the standard groups (needs to match 401.1.4's initial settings) +group = GroupFinder.findByName(gs, "app:vpn:vpn_authorized"); + +# Auto create the PSPNG attributes +# edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_groupOfNames"); + +pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true); +AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave.assignAttributeDefName(pspngAttribute); +attributeAssignSave.assignOwnerGroup(group); +attributeAssignSave.addValue("pspng_groupOfNames"); +attributeAssignSave.save(); + + +addMember("app:vpn:vpn_allow", "ref:faculty"); +addMember("app:vpn:vpn_allow", "ref:staff"); +addMember("app:vpn:vpn_allow", "ref:student"); +addMember("app:vpn:vpn_allow", "app:vpn:ref:vpn_adhoc"); +addMember("app:vpn:ref:vpn_adhoc", "app:vpn:ref:vpn_ajohnson409"); +addMember("app:vpn:ref:vpn_adhoc", "app:vpn:ref:vpn_consultants"); //Assign the PSPNG attribute for the standard groups diff --git a/ex401/ex401.1.end/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.end/container_files/seed-data/bootstrap.gsh index 09ee9e5..8646002 100644 --- a/ex401/ex401.1.end/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.end/container_files/seed-data/bootstrap.gsh @@ -17,7 +17,6 @@ addMember("test:cisoQuestionableVpnUsersList","mwilliams144"); addMember("test:cisoQuestionableVpnUsersList","lpeterson153"); addMember("test:cisoQuestionableVpnUsersList","mvales154"); - addGroup("test", "whyvpnaccess", "Why Do They Have VPN Access"); addComposite("test:whyvpnaccess", CompositeType.INTERSECTION, "app:vpn:vpn_authorized", "test:cisoQuestionableVpnUsersList");