Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
eduPersonEntitlement default to group name, not extension; finish 201…
….end and 401.end
  • Loading branch information
credman committed Sep 19, 2021
1 parent 6e64e9a commit 51d7d8a
Show file tree
Hide file tree
Showing 8 changed files with 686 additions and 55 deletions.
17 changes: 7 additions & 10 deletions ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh
Expand Up @@ -285,7 +285,7 @@ config.propertyName("provisioner.eduPersonAffiliation.subjectSourcesToProvision"
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.fieldName").value('''name''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.isFieldElseAttribute").value('''true''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.select").value('''true''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.translateExpression").value('''${'uid=' + grouperProvisioningEntity.subjectId + ',ou=people,dc=internet2,dc=edu'}''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.translateExpression").value('''${'uid=' + grouperProvisioningEntity.retrieveAttributeValueString('subjectIdentifier0') + ',ou=people,dc=internet2,dc=edu'}''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.translateExpressionType").value('''translationScript''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.translateToMemberSyncField").value('''memberToId2''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.0.valueType").value('''string''').store()
Expand All @@ -295,7 +295,7 @@ config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.1.na
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.1.searchAttribute").value('''true''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.1.select").value('''true''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.1.translateExpressionType").value('''grouperProvisioningEntityField''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField").value('''subjectId''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField").value('''attribute__subjectIdentifier0''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.1.valueType").value('''string''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.2.isFieldElseAttribute").value('''false''').store()
config.propertyName("provisioner.eduPersonAffiliation.targetEntityAttribute.2.membershipAttribute").value('''true''').store()
Expand Down Expand Up @@ -337,7 +337,7 @@ config.propertyName("provisioner.eduPersonEntitlement.subjectSourcesToProvision"
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.0.fieldName").value('''name''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.0.isFieldElseAttribute").value('''true''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.0.select").value('''true''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.0.translateExpression").value('''${'uid=' + grouperProvisioningEntity.subjectId + ',ou=people,dc=internet2,dc=edu'}''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.0.translateExpression").value('''${'uid=' + grouperProvisioningEntity.retrieveAttributeValueString('subjectIdentifier0') + ',ou=people,dc=internet2,dc=edu'}''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.0.translateExpressionType").value('''translationScript''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.0.valueType").value('''string''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.isFieldElseAttribute").value('''false''').store()
Expand All @@ -346,7 +346,7 @@ config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.na
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.searchAttribute").value('''true''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.select").value('''true''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.translateExpressionType").value('''grouperProvisioningEntityField''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField").value('''subjectId''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField").value('''attribute__subjectIdentifier0''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.1.valueType").value('''string''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.2.isFieldElseAttribute").value('''false''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.2.membershipAttribute").value('''true''').store()
Expand All @@ -356,14 +356,16 @@ config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.2.tr
config.propertyName("provisioner.eduPersonEntitlement.targetEntityAttribute.2.valueType").value('''string''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetGroupAttribute.0.isFieldElseAttribute").value('''false''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetGroupAttribute.0.name").value('''entitlement''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetGroupAttribute.0.translateExpression").value('''${grouperUtil.defaultIfBlank(grouperProvisioningGroup.retrieveAttributeValueString('md_entitlementValue') , grouperProvisioningGroup.extension )}''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetGroupAttribute.0.translateExpression").value('''${grouperUtil.defaultIfBlank(grouperProvisioningGroup.retrieveAttributeValueString('md_entitlementValue') , grouperProvisioningGroup.name )}''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetGroupAttribute.0.translateExpressionType").value('''translationScript''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetGroupAttribute.0.translateGrouperToGroupSyncField").value('''groupFromId2''').store()
config.propertyName("provisioner.eduPersonEntitlement.targetGroupAttribute.0.valueType").value('''string''').store()
config.propertyName("provisioner.eduPersonEntitlement.userSearchAllFilter").value('''(uid=*)''').store()
config.propertyName("provisioner.eduPersonEntitlement.userSearchBaseDn").value('''ou=people,dc=internet2,dc=edu''').store()

textConfig.propertyName("md_entitlementValue_eduPersonEntitlement_label").value('''Entitlement String''').store()
textConfig.propertyName("md_entitlementValue_eduPersonEntitlement_description").value(
'''Static string value to use as the entitlement. Will use the group name if not set''').store()

/* for this exercise, they will create a full sync provisioner in the UI */

Expand Down Expand Up @@ -508,8 +510,3 @@ def group = new GroupSave(gs).assignName("ref:role:all_facstaff").assignDisplayE
/***** Schedule jobs is an upgrade task for 2.5.55 ****/

GrouperLoader.scheduleJobs()

/* TODO
* - Groups not picking up object types from parent folder, even after running object type daemon
* - Check the groupOfNames provisioner for grouper authoritative -- it is deleting vpn_users
*/
157 changes: 128 additions & 29 deletions ex201/ex201.end/container_files/seed-data/bootstrap.gsh
Expand Up @@ -6,6 +6,9 @@ import edu.internet2.middleware.grouper.app.grouperTypes.*
import edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningAttributeNames
import edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningSettings
import edu.internet2.middleware.grouper.cfg.dbConfig.GrouperDbConfig
import edu.internet2.middleware.grouper.app.attestation.*;
import java.text.SimpleDateFormat;


/***** START Defaults that may need to be changed for each class *****/

Expand All @@ -17,8 +20,7 @@ java.util.Date RECENT_GRAD_END_DATE = cal.time

/***** END Defaults that may need to be changed for each class *****/


GrouperSession gs = GrouperSession.startRootSession()
GrouperSession gs = GrouperSession.start(SubjectFinder.findByIdentifierAndSource("banderson", "eduLDAP", true))

/* Creating a class for methods helps with gsh from the command line, which can't do functions called from other functions */
class HelperMethods {
Expand All @@ -44,10 +46,14 @@ class HelperMethods {
save()
}

static int countPersonSubjects(Group g) {
return g.members.findAll {it.subjectType.name == "person"}.size()
}

static void addSubjectWithCount(Group g, Subject s) {
int countBefore = g.members.findAll {it.subjectType.name == "person"}.size()
int countBefore = countPersonSubjects(g)
g.addMember(s, false)
int countAfter = g.members.findAll {it.subjectType.name == "person"}.size()
int countAfter = countPersonSubjects(g)
println "\tAdd ${s.name} to ${g.name}: ${countBefore} -> ${countAfter} (${countAfter - countBefore})"
}

Expand Down Expand Up @@ -109,24 +115,44 @@ class HelperMethods {
}
}

static void provisionObject(AttributeAssignable object, String provisioningTargetId) {
AttributeDefName provisioningMarkerAttributeDefName = GrouperProvisioningAttributeNames.retrieveAttributeDefNameBase()
AttributeDefName provisioningDirectAttributeDefName = GrouperProvisioningAttributeNames.retrieveAttributeDefNameDirectAssignment()
AttributeDefName provisioningTargetAttributeDefName = GrouperProvisioningAttributeNames.retrieveAttributeDefNameTarget()
AttributeDefName provisioningStemScopeAttributeDefName = GrouperProvisioningAttributeNames.retrieveAttributeDefNameStemScope()
AttributeDefName provisioningDoProvisionAttributeDefName = GrouperProvisioningAttributeNames.retrieveAttributeDefNameDoProvision()
// GRP-3592 no method for provisioningMetadataJson
AttributeDefName provisioningMdJsonAttributeDefName = AttributeDefNameFinder.findByName(
GrouperProvisioningSettings.provisioningConfigStemName() + ":" + GrouperProvisioningAttributeNames.PROVISIONING_METADATA_JSON, true)
static void provisionObject(AttributeAssignable object, String provisioningTargetId, String metadataJson=null) {

AttributeAssign attributeAssign = object.attributeDelegate.assignAttribute(GrouperProvisioningAttributeNames.retrieveAttributeDefNameBase()).getAttributeAssign()
attributeAssign.attributeValueDelegate.with {
assignValue(GrouperProvisioningAttributeNames.retrieveAttributeDefNameDirectAssignment().getName(), "true")
assignValue(GrouperProvisioningAttributeNames.retrieveAttributeDefNameDoProvision().getName(), provisioningTargetId)
assignValue(GrouperProvisioningAttributeNames.retrieveAttributeDefNameTarget().getName(), provisioningTargetId)

if (object instanceof Stem) {
assignValue(GrouperProvisioningAttributeNames.retrieveAttributeDefNameStemScope().getName(), "sub")
}

if (metadataJson != null) {
// GRP-3592 no method for provisioningMetadataJson
assignValue(AttributeDefNameFinder.findByName(
GrouperProvisioningSettings.provisioningConfigStemName() + ":" + GrouperProvisioningAttributeNames.PROVISIONING_METADATA_JSON, true).
getName(), metadataJson)
}
}

}

AttributeAssign aa = object.getAttributeDelegate().addAttribute(provisioningMarkerAttributeDefName).getAttributeAssign()
aa.getAttributeValueDelegate().assignValue(provisioningDirectAttributeDefName.getName(), "true")
aa.getAttributeValueDelegate().assignValue(provisioningTargetAttributeDefName.getName(), provisioningTargetId)
aa.getAttributeValueDelegate().assignValue(provisioningDoProvisionAttributeDefName.getName(), "false")
aa.getAttributeValueDelegate().assignValue(provisioningStemScopeAttributeDefName.getName(), "sub")
aa.getAttributeValueDelegate().assignValue(provisioningMdJsonAttributeDefName.getName(), '''{"md_grouper_allowPolicyGroupOverride":true}''')
static void addAttestation(g, isSendMail, daysUntilRecertify) {
AttributeAssign attributeAssign = g.attributeDelegate.assignAttribute(GrouperAttestationJob.retrieveAttributeDefNameValueDef()).getAttributeAssign()
// Set date certified to today, so that it won't force attestation until the next time due
def date = new SimpleDateFormat("yyyy/MM/dd").format(new Date())
attributeAssign.attributeValueDelegate.with {
assignValue(GrouperAttestationJob.retrieveAttributeDefNameDirectAssignment().getName(), "true")
assignValue(GrouperAttestationJob.retrieveAttributeDefNameSendEmail().getName(), isSendMail)
assignValue(GrouperAttestationJob.retrieveAttributeDefNameHasAttestation().getName(), "true")
assignValue(GrouperAttestationJob.retrieveAttributeDefNameEmailAddresses().getName(), null)
assignValue(GrouperAttestationJob.retrieveAttributeDefNameDaysUntilRecertify().getName(), daysUntilRecertify)
assignValue(GrouperAttestationJob.retrieveAttributeDefNameDateCertified().getName(), date)
}
}

static void attestGroup(Group g) {
//TODO
}
}

Expand Down Expand Up @@ -251,10 +277,10 @@ Stem policyStem = StemFinder.findByName(gs, "app:eduPersonAffiliation:service:po
HelperMethods.assignObjectTypeForStem(policyStem, "policy")

[
"ePA_student": ["ref:student:students"],
"ePA_staff": ["ref:role:emp:staff"],
"ePA_faculty": ["ref:role:emp:faculty"],
"ePA_member": ["${policyStem.name}:ePA_student", "${policyStem.name}:ePA_staff", "${policyStem.name}:ePA_faculty"]
"student": ["ref:student:students"],
"staff": ["ref:role:emp:staff"],
"faculty": ["ref:role:emp:faculty"],
"member": ["${policyStem.name}:student", "${policyStem.name}:staff", "${policyStem.name}:faculty"]
].each { policyName, memberNames ->
Group group = new GroupSave(gs).assignName("${policyStem.name}:${policyName}").save()
memberNames.each { memberName ->
Expand All @@ -263,9 +289,8 @@ HelperMethods.assignObjectTypeForStem(policyStem, "policy")
}
}

/* Provisioning - the edupersonAffiliation provisioner should already be set up in 101.1.1 */
HelperMethods.provisionObject(policyStem, "eduPersonAffiliation")

/* Provisioning - the eduPersonAffiliation provisioner should already be set up in 101.1.1 */
HelperMethods.provisionObject(policyStem, "eduPersonAffiliation", '''{"md_grouper_allowPolicyGroupOverride":true}''')


/***** 201.4 eduPersonEntitlement *****/
Expand Down Expand Up @@ -314,10 +339,84 @@ config.propertyName("otherJob.eduPersonEntitlement_full_sync.provisionerConfigId
config.propertyName("otherJob.eduPersonEntitlement_full_sync.quartzCron").value('''0 0 4 * * ?''').store()


/* Provisioning - the eduPersonEntitlement provisioner should already be set up in 101.1.1 */
Group group = GroupFinder.findByName(gs, "app:wiki:service:policy:wiki_user", true)

HelperMethods.provisionObject(group, "eduPersonEntitlement", '''{"md_entitlementValue":"http://sp.example.org/wiki"}''')


/***** 201.5: Policy groups and dynamic application permissions (Cognos) *****/

HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
"cognos",
"cognos",
"Manage poicy roles for Cognos application",
null)

Stem policyStem = StemFinder.findByName(gs, "app:cognos:service:policy", true)
ArrayList<String> myServiceActionIds = [
'policyGroupCreate',
'policyGroupType',
'policyGroupAllowGroupCreate',
'allowIntermediatgeGroupType',
//'policyGroupAllowManualGroupCreate',
//'policyGroupAddManualToAllow',
//'allowManualGroupType',
'policyGroupDenyGroupCreate',
'denyIntermediatgeGroupType',
'policyGroupLockoutGroup_0',
//'policyGroupDenyManualGroupCreate',
//'policyGroupAddManualToDeny',
//'denyManualGroupType',
//'policyGroupRequireGroup_0'
]

HelperMethods.newPolicyTemplate(policyStem,
"cg_fin_report_reader",
"cg_fin_report_reader",
"Report Reader Access Policy",
myServiceActionIds
)

HelperMethods.newPolicyTemplate(policyStem,
"cg_fin_report_writer",
"cg_fin_report_writer",
"Report Writer Access Policy",
myServiceActionIds
)


Group financeStaff = GroupFinder.findByName(gs, "basis:hr:employee:dept:10810:staff", true)
Group cg_fin_report_reader_allow = GroupFinder.findByName(gs, "app:cognos:service:policy:cg_fin_report_reader_allow", true)
"app:cognos:service:policy:cg_fin_report_reader_allow"

HelperMethods.addSubjectWithCount(cg_fin_report_reader_allow, financeStaff.toSubject())


Group financeWritersRef = new GroupSave(gs).assignName("app:cognos:service:ref:finance_report_writer").
assignCreateParentStemsIfNotExist(true).
save()

HelperMethods.assignObjectTypeForGroup(financeWritersRef, "ref", "Finance Manager", $/Employees authorized by the Finance Manager have access to write reports/$)


Group financeMgrRole = new GroupSave(gs).assignName("ref:role:financeManager").
assignDisplayExtension("Finance Manager").
save()
HelperMethods.assignObjectTypeForGroup(financeMgrRole, "ref")

Subject driddle = SubjectFinder.findByIdentifierAndSource("driddle", "eduLDAP", true)
financeMgrRole.addMember(driddle, false)

financeWritersRef.grantPriv(financeMgrRole.toSubject(), AccessPrivilege.READ, false)
financeWritersRef.grantPriv(financeMgrRole.toSubject(), AccessPrivilege.UPDATE, false)

HelperMethods.addAttestation(financeWritersRef, "true", "30")

/* Provisioning - the edupersonAffiliation provisioner should already be set up in 101.1.1 */
HelperMethods.provisionObject(policyStem, "eduPersonAffiliation")
GrouperSession gs2 = GrouperSession.start(SubjectFinder.findByIdentifierAndSource("driddle", "eduLDAP", true))

/* TODO ePA and ePT full sync provisioners are not working */
Subject ccampbe2 = SubjectFinder.findByIdentifierAndSource("ccampbe2", "eduLDAP", true)
financeWritersRef.addMember(ccampbe2, false)

// Mark reviewed
//TODO HelperMethods.attestGroup(financeWritersRef)
33 changes: 33 additions & 0 deletions ex401/ex401.end/Dockerfile
@@ -0,0 +1,33 @@
ARG VERSION_TAG
FROM tier/gte:201.end-$VERSION_TAG

LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
Vendor="TIER" \
ImageType="Grouper Training" \
ImageName=$imagename \
ImageOS=centos7

ENV USERTOKEN=gte-401.1.end

COPY container_files/seed-data/ /seed-data/

# won't work if no files in here, since the folder won't be in git. Uncomment only if there are any property files to override
#COPY container_files/conf/ /opt/grouper/grouperWebapp/WEB-INF/classes/

# && setupFiles
RUN . /usr/local/bin/library.sh \
&& prep_conf && prep_finish; \
(/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
&& while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
(mysqld_safe & ) \
&& while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
cd /opt/grouper/grouperWebapp/WEB-INF \
&& ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
&& mysql grouper < /seed-data/sisData.sql \
&& cp -r /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/* /opt/grouper/grouperWebapp/WEB-INF/lib/ \
&& if [ ! -f /usr/local/bin/java ]; then ln -s /usr/lib/jvm/java-1.8.0-amazon-corretto/bin/java /usr/local/bin/java; fi \
&& sudo --preserve-env=PATH -u tomcat bin/gsh.sh /seed-data/bootstrap.gsh \
&& pkill -HUP slapd \
&& while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
pkill -u mysql mysqld \
&& while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done

0 comments on commit 51d7d8a

Please sign in to comment.