additional 403.3.x work

ex401/ex401.2.3/container_files/grouper-loader.properties

@@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
 changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
 changeLog.consumer.pspng_entitlements.ldapPoolName = demo
 changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
-changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.extension.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
+changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
 changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
 changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
 changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*

ex401/ex401.3.2/container_files/seed-data/bootstrap.gsh

@@ -2,7 +2,7 @@ gs = GrouperSession.startRootSession();
 
 # SET THESE
 parent_stem_path = "app";
-app_extension = "baz";
+app_extension = "boardeffect";
 app_name = "";
 
 
@@ -36,30 +36,25 @@ def makeStemInheritable(obj, stemName, groupName, priv="admin") {
 
 stem = addStem(parent_stem_path, app_extension, app_name);
 etc_stem = addStem(stem.name, "etc", "etc");
-admin_group_name = "${app_extension}_app_admins";
+admin_group_name = "${app_extension}_admins";
 admin_group = addGroup(etc_stem.name, admin_group_name, admin_group_name);
 admin_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN);
-
-mgr_group_name = "${app_extension}_app_mgr";
+mgr_group_name = "${app_extension}_mgr";
 mgr_group = addGroup(etc_stem.name, mgr_group_name, mgr_group_name);
 mgr_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN);
 mgr_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE);
 mgr_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.READ);
-
-view_group_name = "${app_extension}_app_viewers";
+view_group_name = "${app_extension}_viewers";
 view_group = addGroup(etc_stem.name, view_group_name, view_group_name);
 view_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ);
 view_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN);
 view_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE);
 view_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.READ);
-
 admin_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ);
 mgr_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ);
-
 # Child objects should also grant perms to these groups.
 makeStemInheritable(this, stem.name, admin_group.name, 'admin');
 makeStemInheritable(this, stem.name, mgr_group.name, 'update');
 makeStemInheritable(this, stem.name, mgr_group.name, 'read');
 makeStemInheritable(this, stem.name, view_group.name, 'read');
-
 admin_group.revokePriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE);

ex401/ex401.3.3/container_files/seed-data/bootstrap.gsh

@@ -1,8 +1,7 @@
 gs = GrouperSession.startRootSession();
 
-addStem("app", "boardeffect", "boardeffect");
-addGroup("app:boardeffect", "cmt_fin_authorized", "cmt_fin_authorized");
-addGroup("app:boardeffect", "cmt_fin_allow", "cmt_fin_allow");
-addGroup("app:boardeffect", "cmt_fin_deny", "cmt_fin_deny");
+addGroup("app:boardeffect", "wr_cmt_fin_authorized", "wr_cmt_fin_authorized");
+addGroup("app:boardeffect", "wr_cmt_fin_allow", "wr_cmt_fin_allow");
+addGroup("app:boardeffect", "wr_cmt_fin_deny", "wr_cmt_fin_deny");
 
-addComposite("app:boardeffect:cmt_fin_authorized", CompositeType.COMPLEMENT, "app:boardeffect:cmt_fin_allow", "app:boardeffect:cmt_fin_deny");
+addComposite("app:boardeffect:wr_cmt_fin_authorized", CompositeType.COMPLEMENT, "app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:wr_cmt_fin_deny");

ex401/ex401.3.4/Dockerfile

@@ -9,6 +9,7 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
 ENV USERTOKEN=ex401.3.4
 
 COPY container_files/seed-data/ /seed-data/
+COPY container_files/grouper-loader.properties /opt/grouper/conf/
 
 RUN . /usr/local/bin/library.sh \
     && prepConf; \

ex401/ex401.3.4/container_files/grouper-loader.properties

@@ -0,0 +1,100 @@
+#specify the consumers here.  specify the consumer name after the changeLog.consumer. part.  This example is "psp"
+#but it could be changeLog.consumer.myConsumerName.class
+#the class must extend edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase
+#changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
+
+#the quartz cron is a cron-like string.  it defaults to every minute on the minute (since the temp to change log job runs
+#at 10 seconds to each minute).  it defaults to this: 0 * * * * ?                                          
+#though it will stagger each one by 2 seconds                                                              
+# http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger                           
+#changeLog.consumer.psp.quartzCron = 0 * * * * ?                                                          
+
+# To retry processing a change log entry if an error occurs, set retryOnError to true. Defaults to false.  
+#changeLog.consumer.psp.retryOnError = false                                                              
+
+# To run full provisioning synchronizations periodically, provide the class name which provides a 'public void fullSync()' method.
+#changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer                 
+
+# Schedule full synchronizations. Defaults to 5 am : 0 0 5 * * ?.                                          
+#changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?
+
+# Run a full synchronization job at startup. Defaults to false.                                            
+#changeLog.psp.fullSync.runAtStartup = false                                                              
+
+# Omit diff responses from bulk response to conserve memory.                                               
+#changeLog.psp.fullSync.omitDiffResponses = true                                                          
+
+# Omit sync responses from bulk response to conserve memory.                                               
+#changeLog.psp.fullSync.omitSyncResponses = true 
+
+#################################
+## LDAP connections
+#################################
+# specify the ldap connection with user, pass, url
+# the string after "ldap." is the ID of the connection, and it should not have
+# spaces or other special chars in it.  In this case is it "personLdap"
+
+#note the URL should start with ldap: or ldaps: if it is SSL.  
+#It should contain the server and port (optional if not default), and baseDn,
+#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
+ldap.demo.url = ldap://localhost:389/
+
+#optional, if authenticated
+ldap.demo.user = cn=root,dc=internet2,dc=edu
+
+#optional, if authenticated note the password can be stored encrypted in an external file
+ldap.demo.pass = password
+
+#optional, if you are using tls, set this to true.  Generally you will not be using an SSL URL to use TLS...
+ldap.demo.tls = false
+
+#optional, if using sasl
+#ldap.personLdap.saslAuthorizationId =
+#ldap.personLdap.saslRealm =
+
+#optional (note, time limit is for search operations, timeout is for connection timeouts),
+#most of these default to vt-ldap defaults.  times are in millis
+#validateOnCheckout defaults to true if all other validate methods are false
+#ldap.personLdap.batchSize =
+#ldap.personLdap.countLimit =
+#ldap.personLdap.timeLimit =
+#ldap.personLdap.timeout =
+#ldap.personLdap.minPoolSize =
+#ldap.personLdap.maxPoolSize =
+#ldap.personLdap.validateOnCheckIn =
+#ldap.personLdap.validateOnCheckOut =
+#ldap.personLdap.validatePeriodically =
+#ldap.personLdap.validateTimerPeriod =
+#ldap.personLdap.pruneTimerPeriod =
+#if connections expire after a certain amount of time, this is it, in millis, defaults to 300000 (5 minutes)
+#ldap.personLdap.expirationTime =
+
+#make the paths fully qualified and not relative to the loader group.
+loader.ldap.requireTopStemAsStemFromConfigGroup=false
+
+changeLog.consumer.pspng_groupOfNames.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
+changeLog.consumer.pspng_groupOfNames.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
+changeLog.consumer.pspng_groupOfNames.quartzCron = 0 * * * * ?
+changeLog.consumer.pspng_groupOfNames.ldapPoolName = demo
+changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
+changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
+changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()}
+changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu
+changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames
+changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name}))
+changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass
+changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
+changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu
+changeLog.consumer.pspng_groupOfNames.userSearchFilter = uid=${subject.id}
+changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true
+
+
+changeLog.consumer.pspng_entitlements.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
+changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
+changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
+changeLog.consumer.pspng_entitlements.ldapPoolName = demo
+changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
+changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:boardeffect:boardeffect_authorized') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension) }
+changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
+changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
+changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*

ex401/ex401.3.4/container_files/seed-data/bootstrap.gsh

@@ -3,5 +3,17 @@ gs = GrouperSession.startRootSession();
 addGroup("app:boardeffect", "boardeffect_authorized", "boardeffect_authorized");
 addGroup("app:boardeffect", "boardeffect_authorized_allow", "boardeffect_authorized_allow");
 addGroup("app:boardeffect", "boardeffect_authorized_deny", "boardeffect_authorized_deny");
-
 addComposite("app:boardeffect:boardeffect_authorized", CompositeType.COMPLEMENT, "app:boardeffect:boardeffect_authorized_allow", "app:boardeffect:boardeffect_authorized_deny");
+
+addMember("app:boardeffect:boardeffect_authorized_allow", "app:boardeffect:wr_cmt_fin_authorized");
+
+//Assign the PSPNG attribute for the standard groups
+group = GroupFinder.findByName(gs, "app:boardeffect:boardeffect_authorized");
+
+pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
+//pspngAttributeDef = AttributeDefFinder.findByName("etc:pspng:provision_to_def", true);
+AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
+attributeAssignSave.assignAttributeDefName(pspngAttribute);
+attributeAssignSave.assignOwnerGroup(group);
+attributeAssignSave.addValue("pspng_entitlements");
+attributeAssignSave.save();

ex401/ex401.3.5/container_files/seed-data/bootstrap.gsh

@@ -1 +1,9 @@
 gs = GrouperSession.startRootSession();
+
+addStem("app:boardeffect", "ref", "ref");
+addGroup("app:boardeffect:ref", "cmt_fin", "cmt_fin");
+
+addMember("app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:ref:cmt_fin");
+addMember("app:boardeffect:wr_cmt_fin_deny", "ref:iam:gobal_deny");
+
+addMember("app:boardeffect:etc:boardeffect_admins", "amartinez410");

ex401/ex401.3.6/container_files/seed-data/bootstrap.gsh

@@ -1 +1,25 @@
 gs = GrouperSession.startRootSession();
+
+addGroup("app:boardeffect:ref", "cmt_fin_helpers", "cmt_fin_helpers");
+addMember("app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:ref:cmt_fin_helpers");
+
+
+addGroup("app:boardeffect:ref", "workroom_helpers", "workroom_helpers");
+addMember("app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:ref:workroom_helpers")
+
+# Script parameters
+group_name = "app:boardeffect:ref:workroom_helpers";
+numDays = 32;
+
+actAs = SubjectFinder.findRootSubject();
+vpn_adhoc = getGroups(group_name)[0];
+attribAssign = vpn_adhoc.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
+attribValueDelegate = attribAssign.getAttributeValueDelegate();
+attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
+attribValueDelegate.assignValue(RuleUtils.ruleRunDaemonName(), "F");
+attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
+attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name());
+attribValueDelegate.assignValue(RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisGroupHasImmediateEnabledNoEndDateMembership.name());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T");

ex401/ex401.3.7/container_files/seed-data/bootstrap.gsh

@@ -1,2 +1,10 @@
 gs = GrouperSession.startRootSession();
 
+
+addStem("ref", "roles", "roles");
+addGroup("ref:roles", "president_assistant", "president_assistant");
+
+addMember("app:boardeffect:etc:boardeffect_mgr", "ref:roles:president_assistant")
+
+addMember("ref:roles:president_assistant", "amartinez410");
+delMember("app:boardeffect:etc:boardeffect_admins", "amartinez410");

ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh

@@ -1 +1,12 @@
 gs = GrouperSession.startRootSession();
+
+addStem("ref", "board", "board");
+
+group = GroupFinder.findByName(gs, "app:boardeffect:ref:cmt_fin", true);
+stem = StemFinder.findByName(gs, "ref:board", true);
+group.move(stem);
+
+addStem("ref:board", "etc", "etc");
+addGroup("ref:board:etc", "board_managers", "board_managers");
+
+addMember("ref:board:etc:board_managers", "ref:roles:president_assistant");