Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Loading status checks…
content and gte updates for 401.2
@wgthom
wgthom committed Jun 7, 2019
1 parent 8c80828 commit 5b7d16c
Showing 20 changed files with 366 additions and 161 deletions.
2 changes: 1 addition & 1 deletion docs/401/401.1.rst
View file
@@ -409,4 +409,4 @@ attestation lifecycle. Exception managment is distributed and VPN policy
participates in the global deny policy.

.. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program
.. _`PSPNG`: https://spaces.at.internet2.edu/x/iwfSBQ
.. _PSPNG: https://spaces.at.internet2.edu/x/iwfSBQ
303 changes: 173 additions & 130 deletions docs/401/401.2.rst
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion docs/401/examples/401.2.2-pspng-config.properties
View file
@@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_entitlements.ldapPoolName = demo
changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
39 changes: 34 additions & 5 deletions docs/401/examples/401.2.5-banner-netids.txt
View file
@@ -1,5 +1,34 @@
agasper508
agasper678
alopez899
aprice362
agrady791
jprice108
mnielson143
mvales154
wclark159
kthompson169
athompson183
sanderson191
jlangenberg194
jwhite222
rwilliams230
pwilliams242
lprice328
dgrady331
edoe348
svales366
mhenderson377
mlewis390
mroberts391
llopez398
amorrison406
janderson459
wmartinez487
lvales502
cvales514
jprice523
rvales544
iprice563
bmartinez592
jnielson598
amartinez605
dprice607
mbutler632
lbutler643
dmartinez657
Binary file added docs/figures/401-banderson-mfa-enabled.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-amber-join.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-amber-leave.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-athletics.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-banner-2days-review.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-banner-2days.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-banner-minus-faculty.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-clean-policy.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-enabled.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-opt-in-privs.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-opt-in-security.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-mfa-policy.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh
View file
@@ -0,0 +1,3 @@
gs = GrouperSession.startRootSession();
delStem("401.1.end")
addRootStem("401.2.1", "401.2.1")
2 changes: 1 addition & 1 deletion ex401/ex401.2.end/Dockerfile
View file
@@ -1,5 +1,5 @@
ARG VERSION_TAG
FROM tier/gte:401.2.9-$VERSION_TAG
FROM tier/gte:401.2.1-$VERSION_TAG

LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
Vendor="TIER" \
168 changes: 153 additions & 15 deletions ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh
View file
@@ -1,17 +1,155 @@
gs = GrouperSession.startRootSession();
delStem("401.2.1")
addRootStem("401.2.end", "401.2.end")

// 401.2.1
addStem("app", "mfa", "mfa");
addStem("app:mfa", "security", "security");
addStem("app:mfa", "service", "service");
addStem("app:mfa:service", "policy", "policy");
addStem("app:mfa:service", "ref", "ref");
mfa_enabled = addGroup("app:mfa:service:policy", "mfa_enabled", "mfa_enabled");
addGroup("app:mfa:service:policy", "mfa_enabled_allow", "mfa_enabled_allow");
addGroup("app:mfa:service:policy", "mfa_enabled_deny", "mf_enabled_deny");
addComposite("app:mfa:service:policy:mfa_enabled", CompositeType.COMPLEMENT, "app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:policy:mfa_enabled_deny");
addGroup("app:mfa:service:ref", "mfa_pilot", "mfa_pilot");
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot");

// 401.2.2
// Assign PSPNG `provision_to` attribute to `mfa_enabled` with a value of `pspng_entitlements`.
edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_entitlements");
pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
attributeAssignSave.assignAttributeDefName(pspngAttribute);
attributeAssignSave.assignOwnerGroup(mfa_enabled);
attributeAssignSave.addValue("pspng_entitlements");
attributeAssignSave.save();
addMember("app:mfa:service:ref:mfa_pilot", "banderson");

// 401.2.3
// nothing to do. idp already configured

// 401.2.4
// stub out ref groups for load jobs
addStem("ref", "dept", "dept");
addGroup("ref:dept", "Information Technology", "Information Technology");
addGroup("app:mfa:service:ref", "mfa_bypass", "mfa_bypass");
addMember("app:mfa:service:policy:mfa_enabled_deny", "app:mfa:service:ref:mfa_bypass");
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology");

mfa_athletics = addGroup("app:mfa:service:ref", "mfa_athletics", "mfa_athletics");
mfa_athletics.addMember(findSubject("ahenderson36"));
mfa_athletics.addMember(findSubject("amorrison42"));
mfa_athletics.addMember(findSubject("bsmith65"));
mfa_athletics.addMember(findSubject("cthompson28"));
mfa_athletics.addMember(findSubject("janderson13"));
mfa_athletics.addMember(findSubject("jdavis4"));
mfa_athletics.addMember(findSubject("jlangenberg100"));
mfa_athletics.addMember(findSubject("jprice108"));
mfa_athletics.addMember(findSubject("jvales117"));
mfa_athletics.addMember(findSubject("ldavis5"));
mfa_athletics.addMember(findSubject("mgrady137"));
mfa_athletics.addMember(findSubject("mmartinez133"));
mfa_athletics.addMember(findSubject("nscott103"));
mfa_athletics.addMember(findSubject("pthompson61"));
mfa_athletics.addMember(findSubject("rdavis16"));
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics");

// 401.2.5
addGroup("app:mfa:service:ref", "NonFacultyBannerINB", "NonFacultyBannerINB");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice108");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mnielson143");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mvales154");
addMember("app:mfa:service:ref:NonFacultyBannerINB","wclark159");
addMember("app:mfa:service:ref:NonFacultyBannerINB","kthompson169");
addMember("app:mfa:service:ref:NonFacultyBannerINB","athompson183");
addMember("app:mfa:service:ref:NonFacultyBannerINB","sanderson191");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jlangenberg194");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jwhite222");
addMember("app:mfa:service:ref:NonFacultyBannerINB","rwilliams230");
addMember("app:mfa:service:ref:NonFacultyBannerINB","pwilliams242");
addMember("app:mfa:service:ref:NonFacultyBannerINB","lprice328");
addMember("app:mfa:service:ref:NonFacultyBannerINB","dgrady331");
addMember("app:mfa:service:ref:NonFacultyBannerINB","edoe348");
addMember("app:mfa:service:ref:NonFacultyBannerINB","svales366");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mhenderson377");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mlewis390");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mroberts391");
addMember("app:mfa:service:ref:NonFacultyBannerINB","llopez398");
addMember("app:mfa:service:ref:NonFacultyBannerINB","amorrison406");
addMember("app:mfa:service:ref:NonFacultyBannerINB","janderson459");
addMember("app:mfa:service:ref:NonFacultyBannerINB","wmartinez487");
addMember("app:mfa:service:ref:NonFacultyBannerINB","lvales502");
addMember("app:mfa:service:ref:NonFacultyBannerINB","cvales514");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice523");
addMember("app:mfa:service:ref:NonFacultyBannerINB","rvales544");
addMember("app:mfa:service:ref:NonFacultyBannerINB","iprice563");
addMember("app:mfa:service:ref:NonFacultyBannerINB","bmartinez592");
addMember("app:mfa:service:ref:NonFacultyBannerINB","jnielson598");
addMember("app:mfa:service:ref:NonFacultyBannerINB","amartinez605");
addMember("app:mfa:service:ref:NonFacultyBannerINB","dprice607");
addMember("app:mfa:service:ref:NonFacultyBannerINB","mbutler632");
addMember("app:mfa:service:ref:NonFacultyBannerINB","lbutler643");
addMember("app:mfa:service:ref:NonFacultyBannerINB","dmartinez657");

addMember("app:mfa:service:policy:mfa_enabled_allow","app:mfa:service:ref:NonFacultyBannerINB");
//Set start date 2 days out
java.util.Calendar cal = Calendar.getInstance();
cal.setTime(new Date());
cal.add(Calendar.DAY_OF_YEAR, 2);
group = GroupFinder.findByName(gs, "app:mfa:service:policy:mfa_enabled_allow", true);
subject = GroupFinder.findByName(gs, "app:mfa:service:ref:NonFacultyBannerINB", true).toSubject();
group.addOrEditMember(subject, true, true, cal.getTime(), null, false);

// 401.2.6
addGroup("app:mfa:service:ref", "BannerUsersMinusFaculty", "BannerUsersMinusFaculty");
addComposite("app:mfa:service:ref:BannerUsersMinusFaculty", CompositeType.COMPLEMENT, "app:mfa:service:ref:NonFacultyBannerINB", "ref:faculty");
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty")
delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:NonFacultyBannerINB");

// 401.2.7
addGroup("app:mfa:service:ref", "mfa_opt_in", "mfa_opt_in");

addGroup("app:mfa:security", "mfa_opt_in", "mfa_opt_in");
addGroup("app:mfa:security", "mfa_opt_in_allow", "mfa_opt_in_allow");
addGroup("app:mfa:security", "mfa_opt_in_deny", "mfa_opt_in_deny");
addComposite("app:mfa:security:mfa_opt_in", CompositeType.COMPLEMENT, "app:mfa:security:mfa_opt_in_allow", "app:mfa:security:mfa_opt_in_deny");

grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTIN);
grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTOUT);

addGroup("app:mfa:service:ref", "mfa_required", "mfa_required");
addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_required");

addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:BannerUsersMinusFaculty");
addMember("app:mfa:service:ref:mfa_required", "ref:dept:Information Technology");
addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_athletics");
addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_pilot");

delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty");
delMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology");
delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics");
delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot");

addMember("app:mfa:security:mfa_opt_in_deny", "app:mfa:service:ref:mfa_required");

addMember("app:mfa:security:mfa_opt_in_allow", "ref:faculty");
addMember("app:mfa:security:mfa_opt_in_allow", "ref:staff");
addMember("app:mfa:security:mfa_opt_in_allow", "ref:student");


// 401.2.8
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:faculty");
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:staff");
addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:student");

delGroup("app:mfa:service:ref:mfa_pilot");
delGroup("app:mfa:security:mfa_opt_in");
delGroup("app:mfa:security:mfa_opt_in_allow");
delGroup("app:mfa:security:mfa_opt_in_deny");
delGroup("app:mfa:service:ref:mfa_opt_in");
delGroup("app:mfa:service:ref:mfa_required");
delGroup("app:mfa:service:ref:BannerUsersMinusFaculty");
delGroup("app:mfa:service:ref:NonFacultyBannerINB");
delGroup("app:mfa:service:ref:mfa_athletics");

addMember("app:mfa:mfa_enabled_allow", "ref:faculty");
addMember("app:mfa:mfa_enabled_allow", "ref:staff");
addMember("app:mfa:mfa_enabled_allow", "ref:student");
delMember("app:mfa:mfa_enabled_allow", "ref:dept:Information Technology");

delGroup("app:mfa:ref:pilot");
delGroup("app:mfa:etc:mfa_opt_in_access");
delGroup("app:mfa:etc:mfa_opt_in_access_allow");
delGroup("app:mfa:etc:mfa_opt_in_access_deny");
delGroup("app:mfa:ref:mfa_opt_in");
delGroup("app:mfa:ref:mfa_bypass_not_opt_in");
delGroup("app:mfa:mfa_required");
delGroup("app:mfa:ref:BannerUsersMinusFaculty");
delGroup("app:mfa:ref:NonFacultyBannerINB");
delGroup("app:mfa:ref:athletics_dept");
8 changes: 0 additions & 8 deletions ex401/manualBuild.sh
View file
@@ -3,14 +3,6 @@ echo "Building gte:401 version ${VERSION_TAG}"
docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.1-${VERSION_TAG} ex401.1.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.end-${VERSION_TAG} ex401.1.end \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.1-${VERSION_TAG} ex401.2.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.2-${VERSION_TAG} ex401.2.2 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.3-${VERSION_TAG} ex401.2.3 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.4-${VERSION_TAG} ex401.2.4 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.5-${VERSION_TAG} ex401.2.5 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.6-${VERSION_TAG} ex401.2.6 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.7-${VERSION_TAG} ex401.2.7 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.8-${VERSION_TAG} ex401.2.8 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.9-${VERSION_TAG} ex401.2.9 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.end-${VERSION_TAG} ex401.2.end \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.1-${VERSION_TAG} ex401.3.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.2-${VERSION_TAG} ex401.3.2 \

0 comments on commit 5b7d16c

Please sign in to comment.