Skip to content

Commit

Permalink
content and gte updates for 401.2
Browse files Browse the repository at this point in the history
  • Loading branch information
@wgthom
wgthom committed Jun 7, 2019
1 parent 8c80828 commit 5b7d16c
Show file tree
Hide file tree
Showing 20 changed files with 366 additions and 161 deletions.
2 changes: 1 addition & 1 deletion docs/401/401.1.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -409,4 +409,4 @@ attestation lifecycle. Exception managment is distributed and VPN policy
participates in the global deny policy.

.. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program
.. _`PSPNG`: https://spaces.at.internet2.edu/x/iwfSBQ
.. _PSPNG: https://spaces.at.internet2.edu/x/iwfSBQ
303 changes: 173 additions & 130 deletions docs/401/401.2.rst
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion docs/401/examples/401.2.2-pspng-config.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_entitlements.ldapPoolName = demo
changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
39 changes: 34 additions & 5 deletions docs/401/examples/401.2.5-banner-netids.txt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,34 @@
agasper508
agasper678
alopez899
aprice362
agrady791
jprice108
mnielson143
mvales154
wclark159
kthompson169
athompson183
sanderson191
jlangenberg194
jwhite222
rwilliams230
pwilliams242
lprice328
dgrady331
edoe348
svales366
mhenderson377
mlewis390
mroberts391
llopez398
amorrison406
janderson459
wmartinez487
lvales502
cvales514
jprice523
rvales544
iprice563
bmartinez592
jnielson598
amartinez605
dprice607
mbutler632
lbutler643
dmartinez657
Binary file added docs/figures/401-banderson-mfa-enabled.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-amber-join.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-amber-leave.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-athletics.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-banner-2days-review.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-banner-2days.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-banner-minus-faculty.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-clean-policy.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-enabled.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-opt-in-privs.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-opt-in-security.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-policy.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
gs = GrouperSession.startRootSession();
delStem("401.1.end")
addRootStem("401.2.1", "401.2.1")
2 changes: 1 addition & 1 deletion ex401/ex401.2.end/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
ARG VERSION_TAG
FROM tier/gte:401.2.9-$VERSION_TAG
FROM tier/gte:401.2.1-$VERSION_TAG

LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
Vendor="TIER" \
Expand Down
168 changes: 153 additions & 15 deletions ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,155 @@
gs = GrouperSession.startRootSession();
delStem("401.2.1")
addRootStem("401.2.end", "401.2.end")

// 401.2.1
addStem("app", "mfa", "mfa");
addStem("app:mfa", "security", "security");
addStem("app:mfa", "service", "service");
addStem("app:mfa:service", "policy", "policy");
addStem("app:mfa:service", "ref", "ref");
mfa_enabled = addGroup("app:mfa:service:policy", "mfa_enabled", "mfa_enabled");
addGroup("app:mfa:service:policy", "mfa_enabled_allow", "mfa_enabled_allow");
addGroup("app:mfa:service:policy", "mfa_enabled_deny", "mf_enabled_deny");
addComposite("app:mfa:service:policy:mfa_enabled", CompositeType.COMPLEMENT, "app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:policy:mfa_enabled_deny");
addGroup("app:mfa:service:ref", "mfa_pilot", "mfa_pilot");
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot");

// 401.2.2
// Assign PSPNG `provision_to` attribute to `mfa_enabled` with a value of `pspng_entitlements`.
edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_entitlements");
pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
attributeAssignSave.assignAttributeDefName(pspngAttribute);
attributeAssignSave.assignOwnerGroup(mfa_enabled);
attributeAssignSave.addValue("pspng_entitlements");
attributeAssignSave.save();
addMember("app:mfa:service:ref:mfa_pilot", "banderson");

// 401.2.3
// nothing to do. idp already configured

// 401.2.4
// stub out ref groups for load jobs
addStem("ref", "dept", "dept");
addGroup("ref:dept", "Information Technology", "Information Technology");
addGroup("app:mfa:service:ref", "mfa_bypass", "mfa_bypass");
addMember("app:mfa:service:policy:mfa_enabled_deny", "app:mfa:service:ref:mfa_bypass");
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology");

mfa_athletics = addGroup("app:mfa:service:ref", "mfa_athletics", "mfa_athletics");
mfa_athletics.addMember(findSubject("ahenderson36"));
mfa_athletics.addMember(findSubject("amorrison42"));
mfa_athletics.addMember(findSubject("bsmith65"));
mfa_athletics.addMember(findSubject("cthompson28"));
mfa_athletics.addMember(findSubject("janderson13"));
mfa_athletics.addMember(findSubject("jdavis4"));
mfa_athletics.addMember(findSubject("jlangenberg100"));
mfa_athletics.addMember(findSubject("jprice108"));
mfa_athletics.addMember(findSubject("jvales117"));
mfa_athletics.addMember(findSubject("ldavis5"));
mfa_athletics.addMember(findSubject("mgrady137"));
mfa_athletics.addMember(findSubject("mmartinez133"));
mfa_athletics.addMember(findSubject("nscott103"));
mfa_athletics.addMember(findSubject("pthompson61"));
mfa_athletics.addMember(findSubject("rdavis16"));
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics");

// 401.2.5
addGroup("app:mfa:service:ref", "NonFacultyBannerINB", "NonFacultyBannerINB");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice108");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mnielson143");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mvales154");
addMember("app:mfa:service:ref:NonFacultyBannerINB","wclark159");
addMember("app:mfa:service:ref:NonFacultyBannerINB","kthompson169");
addMember("app:mfa:service:ref:NonFacultyBannerINB","athompson183");
addMember("app:mfa:service:ref:NonFacultyBannerINB","sanderson191");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jlangenberg194");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jwhite222");
addMember("app:mfa:service:ref:NonFacultyBannerINB","rwilliams230");
addMember("app:mfa:service:ref:NonFacultyBannerINB","pwilliams242");
addMember("app:mfa:service:ref:NonFacultyBannerINB","lprice328");
addMember("app:mfa:service:ref:NonFacultyBannerINB","dgrady331");
addMember("app:mfa:service:ref:NonFacultyBannerINB","edoe348");
addMember("app:mfa:service:ref:NonFacultyBannerINB","svales366");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mhenderson377");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mlewis390");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mroberts391");
addMember("app:mfa:service:ref:NonFacultyBannerINB","llopez398");
addMember("app:mfa:service:ref:NonFacultyBannerINB","amorrison406");
addMember("app:mfa:service:ref:NonFacultyBannerINB","janderson459");
addMember("app:mfa:service:ref:NonFacultyBannerINB","wmartinez487");
addMember("app:mfa:service:ref:NonFacultyBannerINB","lvales502");
addMember("app:mfa:service:ref:NonFacultyBannerINB","cvales514");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice523");
addMember("app:mfa:service:ref:NonFacultyBannerINB","rvales544");
addMember("app:mfa:service:ref:NonFacultyBannerINB","iprice563");
addMember("app:mfa:service:ref:NonFacultyBannerINB","bmartinez592");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jnielson598");
addMember("app:mfa:service:ref:NonFacultyBannerINB","amartinez605");
addMember("app:mfa:service:ref:NonFacultyBannerINB","dprice607");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mbutler632");
addMember("app:mfa:service:ref:NonFacultyBannerINB","lbutler643");
addMember("app:mfa:service:ref:NonFacultyBannerINB","dmartinez657");

addMember("app:mfa:service:policy:mfa_enabled_allow","app:mfa:service:ref:NonFacultyBannerINB");
//Set start date 2 days out
java.util.Calendar cal = Calendar.getInstance();
cal.setTime(new Date());
cal.add(Calendar.DAY_OF_YEAR, 2);
group = GroupFinder.findByName(gs, "app:mfa:service:policy:mfa_enabled_allow", true);
subject = GroupFinder.findByName(gs, "app:mfa:service:ref:NonFacultyBannerINB", true).toSubject();
group.addOrEditMember(subject, true, true, cal.getTime(), null, false);

// 401.2.6
addGroup("app:mfa:service:ref", "BannerUsersMinusFaculty", "BannerUsersMinusFaculty");
addComposite("app:mfa:service:ref:BannerUsersMinusFaculty", CompositeType.COMPLEMENT, "app:mfa:service:ref:NonFacultyBannerINB", "ref:faculty");
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty")
delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:NonFacultyBannerINB");

// 401.2.7
addGroup("app:mfa:service:ref", "mfa_opt_in", "mfa_opt_in");

addGroup("app:mfa:security", "mfa_opt_in", "mfa_opt_in");
addGroup("app:mfa:security", "mfa_opt_in_allow", "mfa_opt_in_allow");
addGroup("app:mfa:security", "mfa_opt_in_deny", "mfa_opt_in_deny");
addComposite("app:mfa:security:mfa_opt_in", CompositeType.COMPLEMENT, "app:mfa:security:mfa_opt_in_allow", "app:mfa:security:mfa_opt_in_deny");

grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTIN);
grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTOUT);

addGroup("app:mfa:service:ref", "mfa_required", "mfa_required");
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_required");

addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:BannerUsersMinusFaculty");
addMember("app:mfa:service:ref:mfa_required", "ref:dept:Information Technology");
addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_athletics");
addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_pilot");

delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty");
delMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology");
delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics");
delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot");

addMember("app:mfa:security:mfa_opt_in_deny", "app:mfa:service:ref:mfa_required");

addMember("app:mfa:security:mfa_opt_in_allow", "ref:faculty");
addMember("app:mfa:security:mfa_opt_in_allow", "ref:staff");
addMember("app:mfa:security:mfa_opt_in_allow", "ref:student");


// 401.2.8
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:faculty");
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:staff");
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:student");

delGroup("app:mfa:service:ref:mfa_pilot");
delGroup("app:mfa:security:mfa_opt_in");
delGroup("app:mfa:security:mfa_opt_in_allow");
delGroup("app:mfa:security:mfa_opt_in_deny");
delGroup("app:mfa:service:ref:mfa_opt_in");
delGroup("app:mfa:service:ref:mfa_required");
delGroup("app:mfa:service:ref:BannerUsersMinusFaculty");
delGroup("app:mfa:service:ref:NonFacultyBannerINB");
delGroup("app:mfa:service:ref:mfa_athletics");

addMember("app:mfa:mfa_enabled_allow", "ref:faculty");
addMember("app:mfa:mfa_enabled_allow", "ref:staff");
addMember("app:mfa:mfa_enabled_allow", "ref:student");
delMember("app:mfa:mfa_enabled_allow", "ref:dept:Information Technology");

delGroup("app:mfa:ref:pilot");
delGroup("app:mfa:etc:mfa_opt_in_access");
delGroup("app:mfa:etc:mfa_opt_in_access_allow");
delGroup("app:mfa:etc:mfa_opt_in_access_deny");
delGroup("app:mfa:ref:mfa_opt_in");
delGroup("app:mfa:ref:mfa_bypass_not_opt_in");
delGroup("app:mfa:mfa_required");
delGroup("app:mfa:ref:BannerUsersMinusFaculty");
delGroup("app:mfa:ref:NonFacultyBannerINB");
delGroup("app:mfa:ref:athletics_dept");
8 changes: 0 additions & 8 deletions ex401/manualBuild.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,6 @@ echo "Building gte:401 version ${VERSION_TAG}"
docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.1-${VERSION_TAG} ex401.1.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.end-${VERSION_TAG} ex401.1.end \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.1-${VERSION_TAG} ex401.2.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.2-${VERSION_TAG} ex401.2.2 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.3-${VERSION_TAG} ex401.2.3 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.4-${VERSION_TAG} ex401.2.4 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.5-${VERSION_TAG} ex401.2.5 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.6-${VERSION_TAG} ex401.2.6 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.7-${VERSION_TAG} ex401.2.7 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.8-${VERSION_TAG} ex401.2.8 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.9-${VERSION_TAG} ex401.2.9 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.end-${VERSION_TAG} ex401.2.end \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.1-${VERSION_TAG} ex401.3.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.2-${VERSION_TAG} ex401.3.2 \
Expand Down

0 comments on commit 5b7d16c

Please sign in to comment.