From 0b1ff87ab8fff5e7a51a5c756cacb8c9ec2e1c53 Mon Sep 17 00:00:00 2001 From: John Gasper Date: Thu, 20 Sep 2018 13:36:11 -0700 Subject: [PATCH] additional 403.3.x work --- .../container_files/grouper-loader.properties | 2 +- .../container_files/seed-data/bootstrap.gsh | 13 +-- .../container_files/seed-data/bootstrap.gsh | 9 +- ex401/ex401.3.4/Dockerfile | 1 + .../container_files/grouper-loader.properties | 100 ++++++++++++++++++ .../container_files/seed-data/bootstrap.gsh | 14 ++- .../container_files/seed-data/bootstrap.gsh | 8 ++ .../container_files/seed-data/bootstrap.gsh | 24 +++++ .../container_files/seed-data/bootstrap.gsh | 8 ++ .../container_files/seed-data/bootstrap.gsh | 11 ++ 10 files changed, 174 insertions(+), 16 deletions(-) create mode 100644 ex401/ex401.3.4/container_files/grouper-loader.properties diff --git a/ex401/ex401.2.3/container_files/grouper-loader.properties b/ex401/ex401.2.3/container_files/grouper-loader.properties index 70b4351..650bb77 100644 --- a/ex401/ex401.2.3/container_files/grouper-loader.properties +++ b/ex401/ex401.2.3/container_files/grouper-loader.properties @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement -changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.extension.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension} +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension} changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/ex401/ex401.3.2/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.2/container_files/seed-data/bootstrap.gsh index a71a16f..9d09a22 100644 --- a/ex401/ex401.3.2/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.2/container_files/seed-data/bootstrap.gsh @@ -2,7 +2,7 @@ gs = GrouperSession.startRootSession(); # SET THESE parent_stem_path = "app"; -app_extension = "baz"; +app_extension = "boardeffect"; app_name = ""; @@ -36,30 +36,25 @@ def makeStemInheritable(obj, stemName, groupName, priv="admin") { stem = addStem(parent_stem_path, app_extension, app_name); etc_stem = addStem(stem.name, "etc", "etc"); -admin_group_name = "${app_extension}_app_admins"; +admin_group_name = "${app_extension}_admins"; admin_group = addGroup(etc_stem.name, admin_group_name, admin_group_name); admin_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN); - -mgr_group_name = "${app_extension}_app_mgr"; +mgr_group_name = "${app_extension}_mgr"; mgr_group = addGroup(etc_stem.name, mgr_group_name, mgr_group_name); mgr_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN); mgr_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE); mgr_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.READ); - -view_group_name = "${app_extension}_app_viewers"; +view_group_name = "${app_extension}_viewers"; view_group = addGroup(etc_stem.name, view_group_name, view_group_name); view_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ); view_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN); view_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE); view_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.READ); - admin_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ); mgr_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ); - # Child objects should also grant perms to these groups. makeStemInheritable(this, stem.name, admin_group.name, 'admin'); makeStemInheritable(this, stem.name, mgr_group.name, 'update'); makeStemInheritable(this, stem.name, mgr_group.name, 'read'); makeStemInheritable(this, stem.name, view_group.name, 'read'); - admin_group.revokePriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE); diff --git a/ex401/ex401.3.3/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.3/container_files/seed-data/bootstrap.gsh index 464a9eb..2d83899 100644 --- a/ex401/ex401.3.3/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.3/container_files/seed-data/bootstrap.gsh @@ -1,8 +1,7 @@ gs = GrouperSession.startRootSession(); -addStem("app", "boardeffect", "boardeffect"); -addGroup("app:boardeffect", "cmt_fin_authorized", "cmt_fin_authorized"); -addGroup("app:boardeffect", "cmt_fin_allow", "cmt_fin_allow"); -addGroup("app:boardeffect", "cmt_fin_deny", "cmt_fin_deny"); +addGroup("app:boardeffect", "wr_cmt_fin_authorized", "wr_cmt_fin_authorized"); +addGroup("app:boardeffect", "wr_cmt_fin_allow", "wr_cmt_fin_allow"); +addGroup("app:boardeffect", "wr_cmt_fin_deny", "wr_cmt_fin_deny"); -addComposite("app:boardeffect:cmt_fin_authorized", CompositeType.COMPLEMENT, "app:boardeffect:cmt_fin_allow", "app:boardeffect:cmt_fin_deny"); +addComposite("app:boardeffect:wr_cmt_fin_authorized", CompositeType.COMPLEMENT, "app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:wr_cmt_fin_deny"); diff --git a/ex401/ex401.3.4/Dockerfile b/ex401/ex401.3.4/Dockerfile index fff67c0..39998c0 100644 --- a/ex401/ex401.3.4/Dockerfile +++ b/ex401/ex401.3.4/Dockerfile @@ -9,6 +9,7 @@ LABEL author="tier-packaging@internet2.edu " \ ENV USERTOKEN=ex401.3.4 COPY container_files/seed-data/ /seed-data/ +COPY container_files/grouper-loader.properties /opt/grouper/conf/ RUN . /usr/local/bin/library.sh \ && prepConf; \ diff --git a/ex401/ex401.3.4/container_files/grouper-loader.properties b/ex401/ex401.3.4/container_files/grouper-loader.properties new file mode 100644 index 0000000..32a07fc --- /dev/null +++ b/ex401/ex401.3.4/container_files/grouper-loader.properties @@ -0,0 +1,100 @@ +#specify the consumers here. specify the consumer name after the changeLog.consumer. part. This example is "psp" +#but it could be changeLog.consumer.myConsumerName.class +#the class must extend edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase +#changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer + +#the quartz cron is a cron-like string. it defaults to every minute on the minute (since the temp to change log job runs +#at 10 seconds to each minute). it defaults to this: 0 * * * * ? +#though it will stagger each one by 2 seconds +# http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger +#changeLog.consumer.psp.quartzCron = 0 * * * * ? + +# To retry processing a change log entry if an error occurs, set retryOnError to true. Defaults to false. +#changeLog.consumer.psp.retryOnError = false + +# To run full provisioning synchronizations periodically, provide the class name which provides a 'public void fullSync()' method. +#changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer + +# Schedule full synchronizations. Defaults to 5 am : 0 0 5 * * ?. +#changeLog.psp.fullSync.quartzCron = 0 0 5 * * ? + +# Run a full synchronization job at startup. Defaults to false. +#changeLog.psp.fullSync.runAtStartup = false + +# Omit diff responses from bulk response to conserve memory. +#changeLog.psp.fullSync.omitDiffResponses = true + +# Omit sync responses from bulk response to conserve memory. +#changeLog.psp.fullSync.omitSyncResponses = true + +################################# +## LDAP connections +################################# +# specify the ldap connection with user, pass, url +# the string after "ldap." is the ID of the connection, and it should not have +# spaces or other special chars in it. In this case is it "personLdap" + +#note the URL should start with ldap: or ldaps: if it is SSL. +#It should contain the server and port (optional if not default), and baseDn, +#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu +ldap.demo.url = ldap://localhost:389/ + +#optional, if authenticated +ldap.demo.user = cn=root,dc=internet2,dc=edu + +#optional, if authenticated note the password can be stored encrypted in an external file +ldap.demo.pass = password + +#optional, if you are using tls, set this to true. Generally you will not be using an SSL URL to use TLS... +ldap.demo.tls = false + +#optional, if using sasl +#ldap.personLdap.saslAuthorizationId = +#ldap.personLdap.saslRealm = + +#optional (note, time limit is for search operations, timeout is for connection timeouts), +#most of these default to vt-ldap defaults. times are in millis +#validateOnCheckout defaults to true if all other validate methods are false +#ldap.personLdap.batchSize = +#ldap.personLdap.countLimit = +#ldap.personLdap.timeLimit = +#ldap.personLdap.timeout = +#ldap.personLdap.minPoolSize = +#ldap.personLdap.maxPoolSize = +#ldap.personLdap.validateOnCheckIn = +#ldap.personLdap.validateOnCheckOut = +#ldap.personLdap.validatePeriodically = +#ldap.personLdap.validateTimerPeriod = +#ldap.personLdap.pruneTimerPeriod = +#if connections expire after a certain amount of time, this is it, in millis, defaults to 300000 (5 minutes) +#ldap.personLdap.expirationTime = + +#make the paths fully qualified and not relative to the loader group. +loader.ldap.requireTopStemAsStemFromConfigGroup=false + +changeLog.consumer.pspng_groupOfNames.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim +changeLog.consumer.pspng_groupOfNames.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner +changeLog.consumer.pspng_groupOfNames.quartzCron = 0 * * * * ? +changeLog.consumer.pspng_groupOfNames.ldapPoolName = demo +changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false +changeLog.consumer.pspng_groupOfNames.memberAttributeName = member +changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()} +changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu +changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames +changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name})) +changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass +changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames +changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu +changeLog.consumer.pspng_groupOfNames.userSearchFilter = uid=${subject.id} +changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true + + +changeLog.consumer.pspng_entitlements.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim +changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner +changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? +changeLog.consumer.pspng_entitlements.ldapPoolName = demo +changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:boardeffect:boardeffect_authorized') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension) } +changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu +changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} +changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/ex401/ex401.3.4/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.4/container_files/seed-data/bootstrap.gsh index ec55a21..abce99e 100644 --- a/ex401/ex401.3.4/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.4/container_files/seed-data/bootstrap.gsh @@ -3,5 +3,17 @@ gs = GrouperSession.startRootSession(); addGroup("app:boardeffect", "boardeffect_authorized", "boardeffect_authorized"); addGroup("app:boardeffect", "boardeffect_authorized_allow", "boardeffect_authorized_allow"); addGroup("app:boardeffect", "boardeffect_authorized_deny", "boardeffect_authorized_deny"); - addComposite("app:boardeffect:boardeffect_authorized", CompositeType.COMPLEMENT, "app:boardeffect:boardeffect_authorized_allow", "app:boardeffect:boardeffect_authorized_deny"); + +addMember("app:boardeffect:boardeffect_authorized_allow", "app:boardeffect:wr_cmt_fin_authorized"); + +//Assign the PSPNG attribute for the standard groups +group = GroupFinder.findByName(gs, "app:boardeffect:boardeffect_authorized"); + +pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true); +//pspngAttributeDef = AttributeDefFinder.findByName("etc:pspng:provision_to_def", true); +AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave.assignAttributeDefName(pspngAttribute); +attributeAssignSave.assignOwnerGroup(group); +attributeAssignSave.addValue("pspng_entitlements"); +attributeAssignSave.save(); diff --git a/ex401/ex401.3.5/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.5/container_files/seed-data/bootstrap.gsh index 0c07f9d..b838ad2 100644 --- a/ex401/ex401.3.5/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.5/container_files/seed-data/bootstrap.gsh @@ -1 +1,9 @@ gs = GrouperSession.startRootSession(); + +addStem("app:boardeffect", "ref", "ref"); +addGroup("app:boardeffect:ref", "cmt_fin", "cmt_fin"); + +addMember("app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:ref:cmt_fin"); +addMember("app:boardeffect:wr_cmt_fin_deny", "ref:iam:gobal_deny"); + +addMember("app:boardeffect:etc:boardeffect_admins", "amartinez410"); \ No newline at end of file diff --git a/ex401/ex401.3.6/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.6/container_files/seed-data/bootstrap.gsh index 0c07f9d..b8b052b 100644 --- a/ex401/ex401.3.6/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.6/container_files/seed-data/bootstrap.gsh @@ -1 +1,25 @@ gs = GrouperSession.startRootSession(); + +addGroup("app:boardeffect:ref", "cmt_fin_helpers", "cmt_fin_helpers"); +addMember("app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:ref:cmt_fin_helpers"); + + +addGroup("app:boardeffect:ref", "workroom_helpers", "workroom_helpers"); +addMember("app:boardeffect:wr_cmt_fin_allow", "app:boardeffect:ref:workroom_helpers") + +# Script parameters +group_name = "app:boardeffect:ref:workroom_helpers"; +numDays = 32; + +actAs = SubjectFinder.findRootSubject(); +vpn_adhoc = getGroups(group_name)[0]; +attribAssign = vpn_adhoc.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); +attribValueDelegate = attribAssign.getAttributeValueDelegate(); +attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId()); +attribValueDelegate.assignValue(RuleUtils.ruleRunDaemonName(), "F"); +attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId()); +attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name()); +attribValueDelegate.assignValue(RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisGroupHasImmediateEnabledNoEndDateMembership.name()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T"); diff --git a/ex401/ex401.3.7/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.7/container_files/seed-data/bootstrap.gsh index 5d8860c..9f92fba 100644 --- a/ex401/ex401.3.7/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.7/container_files/seed-data/bootstrap.gsh @@ -1,2 +1,10 @@ gs = GrouperSession.startRootSession(); + +addStem("ref", "roles", "roles"); +addGroup("ref:roles", "president_assistant", "president_assistant"); + +addMember("app:boardeffect:etc:boardeffect_mgr", "ref:roles:president_assistant") + +addMember("ref:roles:president_assistant", "amartinez410"); +delMember("app:boardeffect:etc:boardeffect_admins", "amartinez410"); \ No newline at end of file diff --git a/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh index 0c07f9d..11d3c23 100644 --- a/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh @@ -1 +1,12 @@ gs = GrouperSession.startRootSession(); + +addStem("ref", "board", "board"); + +group = GroupFinder.findByName(gs, "app:boardeffect:ref:cmt_fin", true); +stem = StemFinder.findByName(gs, "ref:board", true); +group.move(stem); + +addStem("ref:board", "etc", "etc"); +addGroup("ref:board:etc", "board_managers", "board_managers"); + +addMember("ref:board:etc:board_managers", "ref:roles:president_assistant");