diff --git a/Jenkinsfile b/Jenkinsfile index 73e4f3f..f09f317 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -15,9 +15,9 @@ **/ exceriseSets = [ // 'ex101' : [3, 2], -// 'ex201' : [2, 2, 5, 6], + 'ex201' : [1], // 'ex301' : [2, 2, 5, 6], - 'ex401' : [6, 9] + 'ex401' : [6, 9, 7, 1] ] pipeline { diff --git a/README.md b/README.md index d45e907..9004d71 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ A set of Grouper images that are used during I2/TIER training. ## Full Demo ``` -docker run -d -p 80:80 -p 389:389 -p 8443:443 -p 3306:3306 \ +docker run -d -p 389:389 -p 8443:443 -p 3306:3306 \ --name grouper-demo tier/grouper-training-env:full_demo ``` @@ -79,7 +79,7 @@ Now browse to http://localhost:15672/ and login with `guest`/`guest`, and create Now start the ex401 Grouper with this slightly modified command: ```bash -docker run -d -p 80:80 -p 389:389 -p 8443:443 -p 3306:3306 \ +docker run -d -p 389:389 -p 8443:443 -p 3306:3306 \ --link rabbitmq:rabbitmq --name gte tier/grouper-training-env:exXXX ``` diff --git a/base/Dockerfile b/base/Dockerfile index 0729886..998ba80 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -12,7 +12,7 @@ ENV ENV=training \ USERTOKEN=3.2.0_base RUN yum install -y epel-release \ - && yum install -y mariadb mariadb-server openldap openldap-clients openldap-servers phpMyAdmin phpldapadmin \ + && yum install -y emacs mariadb mariadb-server nano openldap openldap-clients openldap-servers phpMyAdmin phpldapadmin \ && yum clean all COPY container_files/seed-data/ /seed-data/ diff --git a/ex401/ex401.1.1/container_files/seed-data/ephemeral.gsh b/ex401/ex401.1.1/container_files/seed-data/ephemeral.gsh new file mode 100644 index 0000000..d97ad5f --- /dev/null +++ b/ex401/ex401.1.1/container_files/seed-data/ephemeral.gsh @@ -0,0 +1,17 @@ +// Script parameters +group_name = "app:boardeffect:ref:workroom_helpers"; +numDays = 3; + + +actAs = SubjectFinder.findRootSubject(); +vpn_adhoc = getGroups(group_name)[0]; +attribAssign = vpn_adhoc.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); +attribValueDelegate = attribAssign.getAttributeValueDelegate(); +attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId()); +attribValueDelegate.assignValue(RuleUtils.ruleRunDaemonName(), "F"); +attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId()); +attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name()); +attribValueDelegate.assignValue(RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisGroupHasImmediateEnabledNoEndDateMembership.name()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T"); diff --git a/ex401/ex401.1.1/container_files/seed-data/skeleton.gsh b/ex401/ex401.1.1/container_files/seed-data/skeleton.gsh new file mode 100644 index 0000000..a61450f --- /dev/null +++ b/ex401/ex401.1.1/container_files/seed-data/skeleton.gsh @@ -0,0 +1,58 @@ +// SET THESE +parent_stem_path = "app"; +app_extension = "board_effect"; +app_name = "Board Effect"; + + +if (!app_name?.trim()) +{ + app_name = app_extension; +} + +def makeStemInheritable(obj, stemName, groupName, priv="admin") { + baseStem = obj.getStems(stemName)[0]; + aGroup = obj.getGroups(groupName)[0]; + RuleApi.inheritGroupPrivileges( + SubjectFinder.findRootSubject(), + baseStem, + Stem.Scope.SUB, + aGroup.toSubject(), + Privilege.getInstances(priv) + ); + RuleApi.runRulesForOwner(baseStem); + if(priv == 'admin') + { + RuleApi.inheritFolderPrivileges( + SubjectFinder.findRootSubject(), + baseStem, + Stem.Scope.SUB, + aGroup.toSubject(), + Privilege.getInstances("stem, create")); + } + RuleApi.runRulesForOwner(baseStem); +} + +stem = addStem(parent_stem_path, app_extension, app_name); +etc_stem = addStem(stem.name, "etc", "etc"); +admin_group_name = "${app_extension}_admins"; +admin_group = addGroup(etc_stem.name, admin_group_name, admin_group_name); +admin_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN); +mgr_group_name = "${app_extension}_mgr"; +mgr_group = addGroup(etc_stem.name, mgr_group_name, mgr_group_name); +mgr_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN); +mgr_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE); +mgr_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.READ); +view_group_name = "${app_extension}_viewers"; +view_group = addGroup(etc_stem.name, view_group_name, view_group_name); +view_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ); +view_group.grantPriv(admin_group.toMember().getSubject(), AccessPrivilege.ADMIN); +view_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE); +view_group.grantPriv(mgr_group.toMember().getSubject(), AccessPrivilege.READ); +admin_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ); +mgr_group.grantPriv(view_group.toMember().getSubject(), AccessPrivilege.READ); +// Child objects should also grant perms to these groups. +makeStemInheritable(this, stem.name, admin_group.name, 'admin'); +makeStemInheritable(this, stem.name, mgr_group.name, 'update'); +makeStemInheritable(this, stem.name, mgr_group.name, 'read'); +makeStemInheritable(this, stem.name, view_group.name, 'read'); +admin_group.revokePriv(mgr_group.toMember().getSubject(), AccessPrivilege.UPDATE);