diff --git a/Jenkinsfile b/Jenkinsfile index 2279b80..5f6f6a4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -15,7 +15,7 @@ **/ exceriseSets = [ // 'ex101' : [3, 2], - 'ex201' : [1, 1], + 'ex201' : [1, 1, 1, 1, 1], // 'ex301' : [2, 2, 5, 6], 'ex401' : [6, 9, 7, 1] ] diff --git a/ex201/ex201.1.1/Dockerfile b/ex201/ex201.1.1/Dockerfile index ae61992..8b2425a 100644 --- a/ex201/ex201.1.1/Dockerfile +++ b/ex201/ex201.1.1/Dockerfile @@ -12,7 +12,9 @@ COPY container_files/seed-data/ /seed-data/ COPY container_files/grouper-loader.properties /opt/grouper/conf/ COPY container_files/subject.properties /opt/grouper/conf/ -RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ +RUN . /usr/local/bin/library.sh \ + && prepConf; \ + (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ (mysqld_safe & ) \ && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ diff --git a/ex201/ex201.1.1/container_files/grouper-loader.properties b/ex201/ex201.1.1/container_files/grouper-loader.properties index ae41ed1..73c70d5 100644 --- a/ex201/ex201.1.1/container_files/grouper-loader.properties +++ b/ex201/ex201.1.1/container_files/grouper-loader.properties @@ -71,3 +71,23 @@ ldap.demo.tls = false #make the paths fully qualified and not relative to the loader group. loader.ldap.requireTopStemAsStemFromConfigGroup=false + +changeLog.consumer.pspng_affiliations.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim +changeLog.consumer.pspng_affiliations.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner +changeLog.consumer.pspng_affiliations.quartzCron = 0 * * * * ? +changeLog.consumer.pspng_affiliations.ldapPoolName = demo +changeLog.consumer.pspng_affiliations.provisionedAttributeName = eduPersonAffiliation +changeLog.consumer.pspng_affiliations.provisionedAttributeValueFormat = ${group.extension.replace('ePA_', '')} +changeLog.consumer.pspng_affiliations.userSearchBaseDn = ou=people,dc=internet2,dc=edu +changeLog.consumer.pspng_affiliations.userSearchFilter = uid=${subject.id} +changeLog.consumer.pspng_affiliations.allProvisionedValuesPrefix=* + +changeLog.consumer.pspng_entitlements.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim +changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner +changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? +changeLog.consumer.pspng_entitlements.ldapPoolName = demo +changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_authorized') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension} +changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu +changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} +changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/ex201/ex201.2.1/Dockerfile b/ex201/ex201.2.1/Dockerfile index 09172ed..053c7a3 100644 --- a/ex201/ex201.2.1/Dockerfile +++ b/ex201/ex201.2.1/Dockerfile @@ -9,8 +9,6 @@ LABEL author="tier-packaging@internet2.edu " \ ENV USERTOKEN=ex201.2.1 COPY container_files/seed-data/ /seed-data/ -COPY container_files/grouper-loader.properties /opt/grouper/conf/ -COPY container_files/subject.properties /opt/grouper/conf/ RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ diff --git a/ex201/ex201.2.1/container_files/grouper-loader.properties b/ex201/ex201.2.1/container_files/grouper-loader.properties deleted file mode 100644 index ae41ed1..0000000 --- a/ex201/ex201.2.1/container_files/grouper-loader.properties +++ /dev/null @@ -1,73 +0,0 @@ -#specify the consumers here. specify the consumer name after the changeLog.consumer. part. This example is "psp" -#but it could be changeLog.consumer.myConsumerName.class -#the class must extend edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase -#changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer - -#the quartz cron is a cron-like string. it defaults to every minute on the minute (since the temp to change log job runs -#at 10 seconds to each minute). it defaults to this: 0 * * * * ? -#though it will stagger each one by 2 seconds -# http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger -#changeLog.consumer.psp.quartzCron = 0 * * * * ? - -# To retry processing a change log entry if an error occurs, set retryOnError to true. Defaults to false. -#changeLog.consumer.psp.retryOnError = false - -# To run full provisioning synchronizations periodically, provide the class name which provides a 'public void fullSync()' method. -#changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer - -# Schedule full synchronizations. Defaults to 5 am : 0 0 5 * * ?. -#changeLog.psp.fullSync.quartzCron = 0 0 5 * * ? - -# Run a full synchronization job at startup. Defaults to false. -#changeLog.psp.fullSync.runAtStartup = false - -# Omit diff responses from bulk response to conserve memory. -#changeLog.psp.fullSync.omitDiffResponses = true - -# Omit sync responses from bulk response to conserve memory. -#changeLog.psp.fullSync.omitSyncResponses = true - -################################# -## LDAP connections -################################# -# specify the ldap connection with user, pass, url -# the string after "ldap." is the ID of the connection, and it should not have -# spaces or other special chars in it. In this case is it "personLdap" - -#note the URL should start with ldap: or ldaps: if it is SSL. -#It should contain the server and port (optional if not default), and baseDn, -#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/ - -#optional, if authenticated -ldap.demo.user = cn=root,dc=internet2,dc=edu - -#optional, if authenticated note the password can be stored encrypted in an external file -ldap.demo.pass = password - -#optional, if you are using tls, set this to true. Generally you will not be using an SSL URL to use TLS... -ldap.demo.tls = false - -#optional, if using sasl -#ldap.personLdap.saslAuthorizationId = -#ldap.personLdap.saslRealm = - -#optional (note, time limit is for search operations, timeout is for connection timeouts), -#most of these default to vt-ldap defaults. times are in millis -#validateOnCheckout defaults to true if all other validate methods are false -#ldap.personLdap.batchSize = -#ldap.personLdap.countLimit = -#ldap.personLdap.timeLimit = -#ldap.personLdap.timeout = -#ldap.personLdap.minPoolSize = -#ldap.personLdap.maxPoolSize = -#ldap.personLdap.validateOnCheckIn = -#ldap.personLdap.validateOnCheckOut = -#ldap.personLdap.validatePeriodically = -#ldap.personLdap.validateTimerPeriod = -#ldap.personLdap.pruneTimerPeriod = -#if connections expire after a certain amount of time, this is it, in millis, defaults to 300000 (5 minutes) -#ldap.personLdap.expirationTime = - -#make the paths fully qualified and not relative to the loader group. -loader.ldap.requireTopStemAsStemFromConfigGroup=false diff --git a/ex201/ex201.2.1/container_files/subject.properties b/ex201/ex201.2.1/container_files/subject.properties deleted file mode 100644 index b55a10a..0000000 --- a/ex201/ex201.2.1/container_files/subject.properties +++ /dev/null @@ -1,76 +0,0 @@ -subjectApi.source.ldap.id = ldap -subjectApi.source.ldap.name = EDU Ldap -subjectApi.source.ldap.types = person -subjectApi.source.ldap.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter -subjectApi.source.ldap.param.ldapServerId.value = demo -subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid -subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false -subjectApi.source.ldap.param.Name_AttributeType.value = cn -subjectApi.source.ldap.param.Description_AttributeType.value = cn -subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator - -subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid -subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false -subjectApi.source.ldap.param.Name_AttributeType.value = displayName -subjectApi.source.ldap.param.Description_AttributeType.value = displayName -subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")} -subjectApi.source.ldap.param.sortAttribute0.value = cn -subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 -subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")} -subjectApi.source.ldap.param.subjectVirtualAttribute_1_displayName.value = ${subject.getAttributeValueOrCommaSeparated('cn') + ' (' + subject.getAttributeValueOrCommaSeparated('uid') + ', ' + subject.getAttributeValueOrCommaSeparated('title') + ')'} - -# STATUS SECTION for searches to filter out inactives and allow -# the user to filter by status with e.g. status=all -# this is optional, and advanced -# -# field in database or ldap or endpoint that is the status field -#subjectApi.source.example.param.statusDatastoreFieldName.value = status - -# search string from user which represents the status. e.g. status=active -#subjectApi.source.example.param.statusLabel.value = status - -# available statuses from screen (if not specified, any will be allowed). comma separated list. -# Note, this is optional and you probably dont want to configure it, it is mostly necessary -# when you have multiple sources with statuses... if someone types an invalid status -# and you have this configured, it will not filter by it -#subjectApi.source.example.param.statusesFromUser.value = Active, Inactive, Pending, All - -# all label from the user -#subjectApi.source.example.param.statusAllFromUser.value = All - -# if no status is specified, this will be used (e.g. for active only). Note, the value should be of the -# form the user would type in -#subjectApi.source.example.param.statusSearchDefault.value = status=active - -# translate between screen values of status, and the data store value. Increment the 0 to 1, 2, etc for more translations. -# so the user could enter: status=active, and that could translate to status_col=A. The 'user' is what the user types in, -# the 'datastore' is what is in the datastore. The user part is not case-sensitive. Note, this could be a many to one -#subjectApi.source.example.param.statusTranslateUser0.value = active -#subjectApi.source.example.param.statusTranslateDatastore0.value = A - -# subject identifier to store in grouper's member table. this is used to increase speed of loader and perhaps for provisioning -# you can have up to max 1 subject identifier -subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber - -#searchSubject: find a subject by ID. ID is generally an opaque and permanent identifier, e.g. 12345678. -# Each subject has one and only on ID. Returns one result when searching for one ID. -subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person)) -subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu - -#searchSubjectByIdentifier: find a subject by identifier. Identifier is anything that uniquely -# identifies the user, e.g. jsmith or jsmith@institution.edu. -# Subjects can have multiple identifiers. Note: it is nice to have if identifiers are unique -# even across sources. Returns one result when searching for one identifier. -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu - -# search: find subjects by free form search. Returns multiple results. - -subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person)) -subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu - -subjectApi.source.ldap.attributes = givenName, sn, cn, uid, mail, employeeNumber, title -subjectApi.source.ldap.internalAttributes = searchAttribute0 diff --git a/ex201/ex201.3.1/Dockerfile b/ex201/ex201.3.1/Dockerfile new file mode 100644 index 0000000..029b891 --- /dev/null +++ b/ex201/ex201.3.1/Dockerfile @@ -0,0 +1,24 @@ +FROM tier/grouper-training-env:ex201.2.end + +LABEL author="tier-packaging@internet2.edu " \ + Vendor="TIER" \ + ImageType="Grouper Training" \ + ImageName=$imagename \ + ImageOS=centos7 + +ENV USERTOKEN=ex201.3.1 + +COPY container_files/seed-data/ /seed-data/ + +RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ + && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + (mysqld_safe & ) \ + && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + cd /opt/grouper/grouper.apiBinary \ + && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ + && mysql grouper < /seed-data/sisData.sql \ + && bin/gsh /seed-data/bootstrap.gsh \ + && pkill -HUP slapd \ + && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + pkill -u mysql mysqld \ + && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex201/ex201.3.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.3.1/container_files/seed-data/bootstrap.gsh new file mode 100644 index 0000000..3cf57fd --- /dev/null +++ b/ex201/ex201.3.1/container_files/seed-data/bootstrap.gsh @@ -0,0 +1 @@ +GrouperSession.startRootSession() diff --git a/ex201/ex201.3.1/container_files/seed-data/sisData.sql b/ex201/ex201.3.1/container_files/seed-data/sisData.sql new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.3.1/container_files/seed-data/users.ldif b/ex201/ex201.3.1/container_files/seed-data/users.ldif new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.3.end/Dockerfile b/ex201/ex201.3.end/Dockerfile new file mode 100644 index 0000000..c8c5362 --- /dev/null +++ b/ex201/ex201.3.end/Dockerfile @@ -0,0 +1,24 @@ +FROM tier/grouper-training-env:ex201.3.1 + +LABEL author="tier-packaging@internet2.edu " \ + Vendor="TIER" \ + ImageType="Grouper Training" \ + ImageName=$imagename \ + ImageOS=centos7 + +ENV USERTOKEN=ex201.3.end + +COPY container_files/seed-data/ /seed-data/ + +RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ + && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + (mysqld_safe & ) \ + && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + cd /opt/grouper/grouper.apiBinary \ + && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ + && mysql grouper < /seed-data/sisData.sql \ + && bin/gsh /seed-data/bootstrap.gsh \ + && pkill -HUP slapd \ + && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + pkill -u mysql mysqld \ + && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex201/ex201.3.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.3.end/container_files/seed-data/bootstrap.gsh new file mode 100644 index 0000000..c93caa7 --- /dev/null +++ b/ex201/ex201.3.end/container_files/seed-data/bootstrap.gsh @@ -0,0 +1,38 @@ +gs = GrouperSession.startRootSession() + +//ex201.3.1 +addStem("app", "eduPersonAffiliation", "eduPersonAffiliation"); +addGroup("app:eduPersonAffiliation", "ePA_student", "ePA_student"); +addGroup("app:eduPersonAffiliation", "ePA_staff", "ePA_staff"); +addGroup("app:eduPersonAffiliation", "ePA_alum", "ePA_alum"); +addGroup("app:eduPersonAffiliation", "ePA_member", "ePA_member"); +addGroup("app:eduPersonAffiliation", "ePA_affiliate", "ePA_affiliate"); +addGroup("app:eduPersonAffiliation", "ePA_employee", "ePA_employee"); +addGroup("app:eduPersonAffiliation", "ePA_library-walk-in", "ePA_library-walk-in"); + +//ex201.3.2 +addMember("app:eduPersonAffiliation:ePA_student", "ref:student:students"); + +//ex201.3.3 +addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_student"); +addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_staff"); +addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_alum"); +addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_affiliate"); +addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_employee"); + +//ex201.3.4 + +//Assign the PSPNG attribute for the standard groups +group = GroupFinder.findByName(gs, "app:eduPersonAffiliation:ePA_student"); + +# Auto create the PSPNG attributes +edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_affiliations"); + +pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true); +AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave.assignAttributeDefName(pspngAttribute); +attributeAssignSave.assignOwnerGroup(group); +attributeAssignSave.addValue("pspng_affiliations"); +attributeAssignSave.save(); + +//ex201.3.5 diff --git a/ex201/ex201.3.end/container_files/seed-data/sisData.sql b/ex201/ex201.3.end/container_files/seed-data/sisData.sql new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.3.end/container_files/seed-data/users.ldif b/ex201/ex201.3.end/container_files/seed-data/users.ldif new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.4.1/Dockerfile b/ex201/ex201.4.1/Dockerfile new file mode 100644 index 0000000..d161570 --- /dev/null +++ b/ex201/ex201.4.1/Dockerfile @@ -0,0 +1,24 @@ +FROM tier/grouper-training-env:ex201.3.end + +LABEL author="tier-packaging@internet2.edu " \ + Vendor="TIER" \ + ImageType="Grouper Training" \ + ImageName=$imagename \ + ImageOS=centos7 + +ENV USERTOKEN=ex201.4.1 + +COPY container_files/seed-data/ /seed-data/ + +RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ + && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + (mysqld_safe & ) \ + && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + cd /opt/grouper/grouper.apiBinary \ + && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ + && mysql grouper < /seed-data/sisData.sql \ + && bin/gsh /seed-data/bootstrap.gsh \ + && pkill -HUP slapd \ + && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + pkill -u mysql mysqld \ + && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh new file mode 100644 index 0000000..63f8ffd --- /dev/null +++ b/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh @@ -0,0 +1,2 @@ +gs = GrouperSession.startRootSession() + diff --git a/ex201/ex201.4.1/container_files/seed-data/sisData.sql b/ex201/ex201.4.1/container_files/seed-data/sisData.sql new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.4.1/container_files/seed-data/users.ldif b/ex201/ex201.4.1/container_files/seed-data/users.ldif new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.4.end/Dockerfile b/ex201/ex201.4.end/Dockerfile new file mode 100644 index 0000000..a0ec2b2 --- /dev/null +++ b/ex201/ex201.4.end/Dockerfile @@ -0,0 +1,24 @@ +FROM tier/grouper-training-env:ex201.4.1 + +LABEL author="tier-packaging@internet2.edu " \ + Vendor="TIER" \ + ImageType="Grouper Training" \ + ImageName=$imagename \ + ImageOS=centos7 + +ENV USERTOKEN=ex201.4.end + +COPY container_files/seed-data/ /seed-data/ + +RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ + && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + (mysqld_safe & ) \ + && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + cd /opt/grouper/grouper.apiBinary \ + && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ + && mysql grouper < /seed-data/sisData.sql \ + && bin/gsh /seed-data/bootstrap.gsh \ + && pkill -HUP slapd \ + && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + pkill -u mysql mysqld \ + && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh new file mode 100644 index 0000000..7f84f52 --- /dev/null +++ b/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh @@ -0,0 +1,42 @@ +gs = GrouperSession.startRootSession() + +//ex201.4.1 +addStem("app", "wiki", "wiki"); +addStem("app:wiki", "service", "service"); +addStem("app:wiki:service", "policy", "policy"); + +addGroup("app:wiki:service:policy", "wiki_authorized", "wiki_authorized"); +addGroup("app:wiki:service:policy", "wiki_authorized", "wiki_authorized"); +addGroup("app:wiki:service:policy", "wiki_authorized_deny", "wiki_authorized_deny"); +addComposite("app:wiki:service:policy:wiki_authorized", CompositeType.COMPLEMENT, "app:wiki:service:policy:wiki_authorized", "app:wiki:service:policy:wiki_authorized_deny"); + +//ex201.4.2 +addStem("app:wiki", "security", "security"); +addGroup("app:wiki:security", "wiki_admin", "wiki_admin"); +grantPriv("app:wiki:service", "app:wiki:security:wiki_admin", NamingPrivilege.STEM) + +//ex201.4.3 +addMember("app:wiki:service:policy:wiki_authorized_allow", "ref:student:students"); +addMember("app:wiki:service:policy:wiki_authorized_deny", "ref:iam:global_deny"); + +//ex201.4.4 + +//Assign the PSPNG attribute for the standard groups +group = GroupFinder.findByName(gs, "app:wiki:service:policy:wiki_authorized"); + +# Auto create the PSPNG attributes +edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_entitlements"); + +pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true); +AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave.assignAttributeDefName(pspngAttribute); +attributeAssignSave.assignOwnerGroup(group); +attributeAssignSave.addValue("pspng_entitlements"); +attributeAssignSave.save(); + + +//ex201.4.5 +(nothing) + +//ex201.4.6 +(nothing) \ No newline at end of file diff --git a/ex201/ex201.4.end/container_files/seed-data/sisData.sql b/ex201/ex201.4.end/container_files/seed-data/sisData.sql new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.4.end/container_files/seed-data/users.ldif b/ex201/ex201.4.end/container_files/seed-data/users.ldif new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.5.1/Dockerfile b/ex201/ex201.5.1/Dockerfile new file mode 100644 index 0000000..30d8c78 --- /dev/null +++ b/ex201/ex201.5.1/Dockerfile @@ -0,0 +1,24 @@ +FROM tier/grouper-training-env:ex201.4.end + +LABEL author="tier-packaging@internet2.edu " \ + Vendor="TIER" \ + ImageType="Grouper Training" \ + ImageName=$imagename \ + ImageOS=centos7 + +ENV USERTOKEN=ex201.5.1 + +COPY container_files/seed-data/ /seed-data/ + +RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ + && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + (mysqld_safe & ) \ + && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + cd /opt/grouper/grouper.apiBinary \ + && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ + && mysql grouper < /seed-data/sisData.sql \ + && bin/gsh /seed-data/bootstrap.gsh \ + && pkill -HUP slapd \ + && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + pkill -u mysql mysqld \ + && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh new file mode 100644 index 0000000..3cf57fd --- /dev/null +++ b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh @@ -0,0 +1 @@ +GrouperSession.startRootSession() diff --git a/ex201/ex201.5.1/container_files/seed-data/sisData.sql b/ex201/ex201.5.1/container_files/seed-data/sisData.sql new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.5.1/container_files/seed-data/users.ldif b/ex201/ex201.5.1/container_files/seed-data/users.ldif new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.5.end/Dockerfile b/ex201/ex201.5.end/Dockerfile new file mode 100644 index 0000000..f795c84 --- /dev/null +++ b/ex201/ex201.5.end/Dockerfile @@ -0,0 +1,24 @@ +FROM tier/grouper-training-env:ex201.5.1 + +LABEL author="tier-packaging@internet2.edu " \ + Vendor="TIER" \ + ImageType="Grouper Training" \ + ImageName=$imagename \ + ImageOS=centos7 + +ENV USERTOKEN=ex201.5.end + +COPY container_files/seed-data/ /seed-data/ + +RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ + && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + (mysqld_safe & ) \ + && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \ + cd /opt/grouper/grouper.apiBinary \ + && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \ + && mysql grouper < /seed-data/sisData.sql \ + && bin/gsh /seed-data/bootstrap.gsh \ + && pkill -HUP slapd \ + && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \ + pkill -u mysql mysqld \ + && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done diff --git a/ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh new file mode 100644 index 0000000..e77f62f --- /dev/null +++ b/ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh @@ -0,0 +1,51 @@ +gs = GrouperSession.startRootSession() + +//ex201.5.1 +addStem("app", "cognos", "cognos"); +addStem("app:cognos", "service", "service"); +addStem("app:cognos:service" , "security", "security"); +addGroup("app:cognos:service:security", "cg_adv_manager", "cg_adv_manager"); + +addStem("app:cognos:service", "ref", "ref"); +addStem("app:cognos:service", "policy", "policy"); + +addGroup("app:cognos:service:policy", "cg_adv_report_reader", "cg_adv_report_reader"); +addGroup("app:cognos:service:policy", "cg_adv_report_reader_allow", "cg_adv_report_reader_allow"); +addGroup("app:cognos:service:policy", "cg_adv_report_reader_deny", "cg_adv_report_reader_deny"); + +addGroup("app:cognos:service:policy", "cg_adv_report_writer", "cg_adv_report_writer"); +addGroup("app:cognos:service:policy", "cg_adv_report_writer_allow", "cg_adv_report_writer_allow"); +addGroup("app:cognos:service:policy", "cg_adv_report_writer_deny", "cg_adv_report_writer_deny"); + +//ex201.5.2 +addStem("ref", "dept", "dept"); +addGroup("ref:dept", "advancement", "advancement"); +addMember("app:cognos:service:policy:cg_adv_report_writer_allow", "ref:dept:advancement"); + +//ex201.5.3 +group = addGroup("app:cognos:service:ref", "advancement_report_writer", "advancement_report_writer"); +addMember("app:cognos:service:policy:cg_adv_report_writer_allow", "app:cognos:service:ref:advancement_report_writer"); +grantPriv("app:cognos:service:security:cg_adv_manager", "app:cognos:service:policy:cg_adv_report_writer_allow", AccessPrivilege.READ); +grantPriv("app:cognos:service:security:cg_adv_manager", "app:cognos:service:policy:cg_adv_report_writer_allow", AccessPrivilege.UPDATE); + +//ex201.5.4 +attribute = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestation", true); +attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave.assignAttributeDefName(attribute); +attributeAssignSave.assignOwnerGroup(group); + +attributeAssignOnAssignSave = new AttributeAssignSave(gs); +attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn); +attestationSendEmailAttributeDefName = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestationSendEmail", false); +attributeAssignOnAssignSave.assignAttributeDefName(attestationSendEmailAttributeDefName); +attributeAssignOnAssignSave.addValue("true"); +attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave); + +attributeAssignOnAssignSave = new AttributeAssignSave(gs); +attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn); +attributeDefName = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestationDirectAssignment", false); +attributeAssignOnAssignSave.assignAttributeDefName(attributeDefName); +attributeAssignOnAssignSave.addValue("true"); +attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave); + +attributeAssign = attributeAssignSave.save(); diff --git a/ex201/ex201.5.end/container_files/seed-data/sisData.sql b/ex201/ex201.5.end/container_files/seed-data/sisData.sql new file mode 100644 index 0000000..e69de29 diff --git a/ex201/ex201.5.end/container_files/seed-data/users.ldif b/ex201/ex201.5.end/container_files/seed-data/users.ldif new file mode 100644 index 0000000..e69de29