diff --git a/ex201/ex201.end/container_files/grouper/bootstrap.gsh b/ex201/ex201.end/container_files/grouper/bootstrap.gsh
index 7c32f2b..34e5f2b 100644
--- a/ex201/ex201.end/container_files/grouper/bootstrap.gsh
+++ b/ex201/ex201.end/container_files/grouper/bootstrap.gsh
@@ -59,7 +59,28 @@ class HelperMethods {
println "\tAdd ${s.name} to ${g.name}: ${countBefore} -> ${countAfter} (${countAfter - countBefore})"
}
- static void newApplicationTemplate(Stem parentStem, String templateKey, String templateFriendlyName, String templateDescription, List<String> myServiceActionIds = []) {
+ static void newApplicationTemplate(String parentStemName, String templateKey, String templateFriendlyName, String templateDescription, Set<String> includeActionIds, Set<String> excludeActionIds) {
+ /*
+ * List of keywords corresponding to checkboxes; add to excludeActionIds to "uncheck the box"
+ newAppStem
+ newAppServiceFolder
+ newAppPolicyFolder
+ newAppRefFolder
+ newAppRefType
+ newAppAttributeFolder
+ newAppSecurityFolder
+ newAppSecurityType
+ newAppAdminsGroup
+ newAppAdminPrivilege
+ newAppAdminPrivilege2
+ newAppAdminPrivilege3
+ newAppReadersGroup
+ newAppReadersPrivilege
+ newAppUpdatersPrivilege
+ newAppUpdatersPrivilege2
+ newAppReadersGroupMemberOfUpdaters
+ */
+ Stem parentStem = StemFinder.findByName(parentStemName, true)
def stemTemplateContainer = new GroupStemTemplateContainer()
stemTemplateContainer.templateKey = templateKey
stemTemplateContainer.templateFriendlyName = templateFriendlyName
@@ -69,12 +90,15 @@ class HelperMethods {
templateLogic.stemId = parentStem.uuid
templateLogic.stemTemplateContainer = stemTemplateContainer
- List<ServiceAction> selectedServiceActions = []
- if (myServiceActionIds == null || myServiceActionIds.isEmpty()) {
- selectedServiceActions = templateLogic.getServiceActions()
- } else {
- Map<String, ServiceAction> allPolicyServiceActionMap = templateLogic.getServiceActions().collectEntries { [it.id, it] }
- selectedServiceActions = myServiceActionIds.collect { allPolicyServiceActionMap[it] }
+ // simulate checking certain boxes in the ui
+ println includeActionIds
+ println excludeActionIds
+
+ List<ServiceAction> selectedServiceActions = templateLogic.getServiceActions().
+ findAll {it.defaultChecked || (includeActionIds != null && includeActionIds.contains(it.id))}.
+ findAll {excludeActionIds == null || !excludeActionIds.contains(it.id)}
+ selectedServiceActions.each {
+ println " - ${it.id}"
}
templateLogic.validate(selectedServiceActions)
@@ -87,31 +111,50 @@ class HelperMethods {
}
}
- static void newPolicyTemplate(Stem parentStem, String templateKey, String templateFriendlyName, String templateDescription, List<String> myServiceActionIds = []) {
+ static void newPolicyTemplate(String parentStemName, String templateKey, String templateFriendlyName, String templateDescription, Set<String> includeActionIds, Set<String> excludeActionIds) {
+ /*
+ * List of keywords corresponding to checkboxes; add to excludeActionIds to "uncheck the box"
+ policyGroupCreate
+ policyGroupType
+ policyGroupAllowGroupCreate
+ allowIntermediatgeGroupType
+ policyGroupAllowManualGroupCreate
+ policyGroupAddManualToAllow
+ allowManualGroupType
+ policyGroupDenyGroupCreate
+ denyIntermediatgeGroupType
+ policyGroupLockoutGroup_0
+ policyGroupDenyManualGroupCreate
+ policyGroupAddManualToDeny
+ denyManualGroupType
+ policyGroupRequireGroup_0
+ */
+ Stem parentStem = StemFinder.findByName(parentStemName, true)
// note that this doesn't work < 2.5.56 due to dependence on the UI
def policyStemTemplateContainer = new GroupStemTemplateContainer()
policyStemTemplateContainer.templateKey = templateKey
policyStemTemplateContainer.templateFriendlyName = templateFriendlyName
policyStemTemplateContainer.templateDescription = templateDescription
- GrouperTemplatePolicyGroupLogic policyTemplateLogic = new GrouperTemplatePolicyGroupLogic()
- policyTemplateLogic.stemId = parentStem.uuid
- policyTemplateLogic.stemTemplateContainer = policyStemTemplateContainer
+ GrouperTemplatePolicyGroupLogic templateLogic = new GrouperTemplatePolicyGroupLogic()
+ templateLogic.stemId = parentStem.uuid
+ templateLogic.stemTemplateContainer = policyStemTemplateContainer
// simulate checking certain boxes in the ui
- List<ServiceAction> selectedServiceActions = []
- if (myServiceActionIds == null || myServiceActionIds.isEmpty()) {
- selectedServiceActions = policyTemplateLogic.getServiceActions()
- } else {
- Map<String, ServiceAction> allPolicyServiceActionMap = policyTemplateLogic.getServiceActions().collectEntries { [it.id, it] }
- selectedServiceActions = myServiceActionIds.collect { allPolicyServiceActionMap[it] }
+ println includeActionIds
+ println excludeActionIds
+ List<ServiceAction> selectedServiceActions = templateLogic.getServiceActions().
+ findAll {it.defaultChecked || (includeActionIds != null && includeActionIds.contains(it.id))}.
+ findAll {excludeActionIds == null || !excludeActionIds.contains(it.id)}
+ selectedServiceActions.each {
+ println " - ${it.id}"
}
+ templateLogic.validate(selectedServiceActions)
- policyTemplateLogic.validate(selectedServiceActions)
selectedServiceActions.each { serviceAction ->
serviceAction.getServiceActionType().createTemplateItem(serviceAction)
}
- String policyErrorKey = policyTemplateLogic.postCreateSelectedActions(selectedServiceActions)
+ String policyErrorKey = templateLogic.postCreateSelectedActions(selectedServiceActions)
if (policyErrorKey != null) {
println "Creating policy group returned error: ${policyErrorKey}"
}
@@ -227,38 +270,24 @@ HelperMethods.addSubjectWithCount(studentGroup, classSubject)
/* New application Template */
-HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
- "gitlab",
- "GitLab",
- "Access policies for the ITS GitLab version control system",
- null)
+HelperMethods.newApplicationTemplate("app",
+ "gitlab",
+ "GitLab",
+ "Access policies for the ITS GitLab version control system",
+ null,
+ ['newAppAttributeFolder'] as Set)
/* New policy Template */
-Stem policyStem = StemFinder.findByName(gs, "app:gitlab:service:policy", true)
-ArrayList<String> myServiceActionIds = [
- 'policyGroupCreate',
- 'policyGroupType',
- 'policyGroupAllowGroupCreate',
- 'allowIntermediatgeGroupType',
- //'policyGroupAllowManualGroupCreate',
- //'policyGroupAddManualToAllow',
- //'allowManualGroupType',
- 'policyGroupDenyGroupCreate',
- 'denyIntermediatgeGroupType',
- 'policyGroupLockoutGroup_0',
- //'policyGroupDenyManualGroupCreate',
- //'policyGroupAddManualToDeny',
- //'denyManualGroupType',
-]
-
-HelperMethods.newPolicyTemplate(policyStem,
+HelperMethods.newPolicyTemplate(
+ "app:gitlab:service:policy",
"gitlab_access",
"GitLab Access",
"Overall access policy for the ITS GitLab version control system",
- myServiceActionIds
-)
+ null,
+ null)
+
/* Add members to gitlab_access_allow */
Group gitlabAccessAllow = GroupFinder.findByName(gs, "app:gitlab:service:policy:gitlab_access_allow", true)
@@ -277,11 +306,13 @@ HelperMethods.addSubjectWithCount(gitlabUpdaters, infrastructureStaff.toSubject(
/***** 201.3 eduPersonAffiliation *****/
-HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
+HelperMethods.newApplicationTemplate("app",
"eduPersonAffiliation",
"eduPersonAffiliation",
"eduPersonAffiliation (defined in eduPerson 1.0); OID: 1.3.6.1.4.1.5923.1.1.1.1 Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.",
- null)
+ null,
+ ['newAppAttributeFolder'] as Set)
+
Stem policyStem = StemFinder.findByName(gs, "app:eduPersonAffiliation:service:policy", true)
HelperMethods.assignObjectTypeForStem(policyStem, "policy")
@@ -305,36 +336,22 @@ HelperMethods.provisionObject(policyStem, "eduPersonAffiliation", '''{"md_groupe
/***** 201.4 eduPersonEntitlement *****/
-HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
+HelperMethods.newApplicationTemplate("app",
"wiki",
"wiki",
"Student wiki",
- null)
+ null,
+ ['newAppAttributeFolder'] as Set)
Stem policyStem = StemFinder.findByName(gs, "app:wiki:service:policy", true)
-ArrayList<String> myServiceActionIds = [
- 'policyGroupCreate',
- 'policyGroupType',
- 'policyGroupAllowGroupCreate',
- 'allowIntermediatgeGroupType',
- //'policyGroupAllowManualGroupCreate',
- //'policyGroupAddManualToAllow',
- //'allowManualGroupType',
- 'policyGroupDenyGroupCreate',
- 'denyIntermediatgeGroupType',
- 'policyGroupLockoutGroup_0',
- //'policyGroupDenyManualGroupCreate',
- //'policyGroupAddManualToDeny',
- //'denyManualGroupType',
- //'policyGroupRequireGroup_0'
-]
-
-HelperMethods.newPolicyTemplate(policyStem,
+
+HelperMethods.newPolicyTemplate(
+ "app:wiki:service:policy",
"wiki_user",
"wiki_user",
"Access policy for student wiki",
- myServiceActionIds
-)
+ null,
+ null)
Group group = GroupFinder.findByName(gs, "${policyStem.name}:wiki_user_allow", true)
Subject subject = SubjectFinder.findByIdentifierAndSource("ref:student:students", "g:gsa", true)
@@ -357,48 +374,34 @@ HelperMethods.provisionObject(group, "eduPersonEntitlement", '''{"md_entitlement
/***** 201.5: Policy groups and dynamic application permissions (Cognos) *****/
-HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
+HelperMethods.newApplicationTemplate("app",
"cognos",
"cognos",
"Manage policy roles for Cognos application",
- null)
+ null,
+ ['newAppAttributeFolder'] as Set)
+
+
+/* New policy Template */
-Stem policyStem = StemFinder.findByName(gs, "app:cognos:service:policy", true)
-ArrayList<String> myServiceActionIds = [
- 'policyGroupCreate',
- 'policyGroupType',
- 'policyGroupAllowGroupCreate',
- 'allowIntermediatgeGroupType',
- //'policyGroupAllowManualGroupCreate',
- //'policyGroupAddManualToAllow',
- //'allowManualGroupType',
- 'policyGroupDenyGroupCreate',
- 'denyIntermediatgeGroupType',
- 'policyGroupLockoutGroup_0',
- //'policyGroupDenyManualGroupCreate',
- //'policyGroupAddManualToDeny',
- //'denyManualGroupType',
- //'policyGroupRequireGroup_0'
-]
-
-HelperMethods.newPolicyTemplate(policyStem,
+HelperMethods.newPolicyTemplate(
+ "app:cognos:service:policy",
"cg_fin_report_reader",
"cg_fin_report_reader",
"Report Reader Access Policy",
- myServiceActionIds
-)
+ null,
+ null)
-HelperMethods.newPolicyTemplate(policyStem,
+HelperMethods.newPolicyTemplate(
+ "app:cognos:service:policy",
"cg_fin_report_writer",
"cg_fin_report_writer",
"Report Writer Access Policy",
- myServiceActionIds
-)
-
+ null,
+ null)
Group financeStaff = GroupFinder.findByName(gs, "basis:hr:employee:dept:10810:staff", true)
Group cg_fin_report_reader_allow = GroupFinder.findByName(gs, "app:cognos:service:policy:cg_fin_report_reader_allow", true)
-"app:cognos:service:policy:cg_fin_report_reader_allow"
HelperMethods.addSubjectWithCount(cg_fin_report_reader_allow, financeStaff.toSubject())
diff --git a/ex401/ex401.end/container_files/grouper/bootstrap.gsh b/ex401/ex401.end/container_files/grouper/bootstrap.gsh
index 4f4b548..7c2c2ec 100644
--- a/ex401/ex401.end/container_files/grouper/bootstrap.gsh
+++ b/ex401/ex401.end/container_files/grouper/bootstrap.gsh
@@ -48,7 +48,28 @@ class HelperMethods {
println "\tAdd ${s.name} to ${g.name}: ${countBefore} -> ${countAfter} (${countAfter - countBefore})"
}
- static void newApplicationTemplate(Stem parentStem, String templateKey, String templateFriendlyName, String templateDescription, List<String> myServiceActionIds = []) {
+ static void newApplicationTemplate(String parentStemName, String templateKey, String templateFriendlyName, String templateDescription, Set<String> includeActionIds, Set<String> excludeActionIds) {
+ /*
+ * List of keywords corresponding to checkboxes; add to excludeActionIds to "uncheck the box"
+ newAppStem
+ newAppServiceFolder
+ newAppPolicyFolder
+ newAppRefFolder
+ newAppRefType
+ newAppAttributeFolder
+ newAppSecurityFolder
+ newAppSecurityType
+ newAppAdminsGroup
+ newAppAdminPrivilege
+ newAppAdminPrivilege2
+ newAppAdminPrivilege3
+ newAppReadersGroup
+ newAppReadersPrivilege
+ newAppUpdatersPrivilege
+ newAppUpdatersPrivilege2
+ newAppReadersGroupMemberOfUpdaters
+ */
+ Stem parentStem = StemFinder.findByName(parentStemName, true)
def stemTemplateContainer = new GroupStemTemplateContainer()
stemTemplateContainer.templateKey = templateKey
stemTemplateContainer.templateFriendlyName = templateFriendlyName
@@ -58,12 +79,15 @@ class HelperMethods {
templateLogic.stemId = parentStem.uuid
templateLogic.stemTemplateContainer = stemTemplateContainer
- List<ServiceAction> selectedServiceActions = []
- if (myServiceActionIds == null || myServiceActionIds.isEmpty()) {
- selectedServiceActions = templateLogic.getServiceActions()
- } else {
- Map<String, ServiceAction> allPolicyServiceActionMap = templateLogic.getServiceActions().collectEntries { [it.id, it] }
- selectedServiceActions = myServiceActionIds.collect { allPolicyServiceActionMap[it] }
+ // simulate checking certain boxes in the ui
+ println includeActionIds
+ println excludeActionIds
+
+ List<ServiceAction> selectedServiceActions = templateLogic.getServiceActions().
+ findAll {it.defaultChecked || (includeActionIds != null && includeActionIds.contains(it.id))}.
+ findAll {excludeActionIds == null || !excludeActionIds.contains(it.id)}
+ selectedServiceActions.each {
+ println " - ${it.id}"
}
templateLogic.validate(selectedServiceActions)
@@ -76,31 +100,50 @@ class HelperMethods {
}
}
- static void newPolicyTemplate(Stem parentStem, String templateKey, String templateFriendlyName, String templateDescription, List<String> myServiceActionIds = []) {
+ static void newPolicyTemplate(String parentStemName, String templateKey, String templateFriendlyName, String templateDescription, Set<String> includeActionIds, Set<String> excludeActionIds) {
+ /*
+ * List of keywords corresponding to checkboxes; add to excludeActionIds to "uncheck the box"
+ policyGroupCreate
+ policyGroupType
+ policyGroupAllowGroupCreate
+ allowIntermediatgeGroupType
+ policyGroupAllowManualGroupCreate
+ policyGroupAddManualToAllow
+ allowManualGroupType
+ policyGroupDenyGroupCreate
+ denyIntermediatgeGroupType
+ policyGroupLockoutGroup_0
+ policyGroupDenyManualGroupCreate
+ policyGroupAddManualToDeny
+ denyManualGroupType
+ policyGroupRequireGroup_0
+ */
+ Stem parentStem = StemFinder.findByName(parentStemName, true)
// note that this doesn't work < 2.5.56 due to dependence on the UI
def policyStemTemplateContainer = new GroupStemTemplateContainer()
policyStemTemplateContainer.templateKey = templateKey
policyStemTemplateContainer.templateFriendlyName = templateFriendlyName
policyStemTemplateContainer.templateDescription = templateDescription
- GrouperTemplatePolicyGroupLogic policyTemplateLogic = new GrouperTemplatePolicyGroupLogic()
- policyTemplateLogic.stemId = parentStem.uuid
- policyTemplateLogic.stemTemplateContainer = policyStemTemplateContainer
+ GrouperTemplatePolicyGroupLogic templateLogic = new GrouperTemplatePolicyGroupLogic()
+ templateLogic.stemId = parentStem.uuid
+ templateLogic.stemTemplateContainer = policyStemTemplateContainer
// simulate checking certain boxes in the ui
- List<ServiceAction> selectedServiceActions = []
- if (myServiceActionIds == null || myServiceActionIds.isEmpty()) {
- selectedServiceActions = policyTemplateLogic.getServiceActions()
- } else {
- Map<String, ServiceAction> allPolicyServiceActionMap = policyTemplateLogic.getServiceActions().collectEntries { [it.id, it] }
- selectedServiceActions = myServiceActionIds.collect { allPolicyServiceActionMap[it] }
+ println includeActionIds
+ println excludeActionIds
+ List<ServiceAction> selectedServiceActions = templateLogic.getServiceActions().
+ findAll {it.defaultChecked || (includeActionIds != null && includeActionIds.contains(it.id))}.
+ findAll {excludeActionIds == null || !excludeActionIds.contains(it.id)}
+ selectedServiceActions.each {
+ println " - ${it.id}"
}
+ templateLogic.validate(selectedServiceActions)
- policyTemplateLogic.validate(selectedServiceActions)
selectedServiceActions.each { serviceAction ->
serviceAction.getServiceActionType().createTemplateItem(serviceAction)
}
- String policyErrorKey = policyTemplateLogic.postCreateSelectedActions(selectedServiceActions)
+ String policyErrorKey = templateLogic.postCreateSelectedActions(selectedServiceActions)
if (policyErrorKey != null) {
println "Creating policy group returned error: ${policyErrorKey}"
}
@@ -247,38 +290,24 @@ attributeAssign.attributeValueDelegate.with {
// Create app template
-HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
- "vpn",
- "vpn",
- "VPN access policies",
- null)
-
+HelperMethods.newApplicationTemplate("app",
+ "vpn",
+ "vpn",
+ "VPN access policies",
+ null,
+ ['newAppAttributeFolder'] as Set)
/* New policy Template */
Stem policyStem = StemFinder.findByName(gs, "app:vpn:service:policy", true)
-ArrayList<String> myServiceActionIds = [
- 'policyGroupCreate',
- 'policyGroupType',
- 'policyGroupAllowGroupCreate',
- 'allowIntermediatgeGroupType',
- 'policyGroupAllowManualGroupCreate',
- 'policyGroupAddManualToAllow',
- 'allowManualGroupType',
- 'policyGroupDenyGroupCreate',
- 'denyIntermediatgeGroupType',
- 'policyGroupLockoutGroup_0',
- //'policyGroupDenyManualGroupCreate',
- //'policyGroupAddManualToDeny',
- //'denyManualGroupType',
-]
-
-HelperMethods.newPolicyTemplate(policyStem,
+
+HelperMethods.newPolicyTemplate(
+ "app:vpn:service:policy",
"vpn_authorized",
"vpn_authorized",
"Access policy for the campus VPN",
- myServiceActionIds
-)
+ ['policyGroupAllowManualGroupCreate', 'policyGroupAddManualToAllow', 'allowManualGroupType'] as Set,
+ null)
/* Add members to vpn_authorized_allow */
Group vpnAccessAllow = GroupFinder.findByName(gs, "app:vpn:service:policy:vpn_authorized_allow", true)
@@ -287,14 +316,7 @@ HelperMethods.addSubjectWithCount(vpnAccessAllow, allFacStaff.toSubject())
/***** 401.2: VPN Access Control (II) *****/
-HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
- "eduPersonAffiliation",
- "eduPersonAffiliation",
- "eduPersonAffiliation (defined in eduPerson 1.0); OID: 1.3.6.1.4.1.5923.1.1.1.1 Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.",
- null)
-
Group policyGroup = GroupFinder.findByName(gs, "app:vpn:service:policy:vpn_authorized", true)
-HelperMethods.assignObjectTypeForGroup(policyGroup, "policy")
/* Provisioning - the groupOfNames provisioner should already be set up */
HelperMethods.provisionObject(policyGroup, "groupOfNames")
@@ -376,38 +398,22 @@ vpnAudit.addCompositeMember(CompositeType.INTERSECTION,
// Create app template
-HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
+HelperMethods.newApplicationTemplate("app",
"mfa",
"mfa",
"Multi-factor authentication (MFA) policies",
- null)
-
+ null,
+ ['newAppAttributeFolder'] as Set)
/* New policy Template */
-Stem policyStem = StemFinder.findByName(gs, "app:mfa:service:policy", true)
-ArrayList<String> myServiceActionIds = [
- 'policyGroupCreate',
- 'policyGroupType',
- 'policyGroupAllowGroupCreate',
- 'allowIntermediatgeGroupType',
- //'policyGroupAllowManualGroupCreate',
- //'policyGroupAddManualToAllow',
- //'allowManualGroupType',
- 'policyGroupDenyGroupCreate',
- 'denyIntermediatgeGroupType',
- //'policyGroupLockoutGroup_0',
- //'policyGroupDenyManualGroupCreate',
- //'policyGroupAddManualToDeny',
- //'denyManualGroupType',
-]
-
-HelperMethods.newPolicyTemplate(policyStem,
+HelperMethods.newPolicyTemplate(
+ "app:mfa:service:policy",
"mfa_enabled",
"mfa_enabled",
"Users with MFA enabled",
- myServiceActionIds
-)
+ null,
+ ['policyGroupLockoutGroup_0'] as Set)
// reference group
@@ -476,30 +482,14 @@ mfaEnabledAllow.deleteMember(sensitiveData.toSubject())
Group mfaOptIn = new GroupSave(gs).assignName("app:mfa:service:ref:mfa_opt_in").save()
mfaEnabledAllow.addMember(mfaOptIn.toSubject(), false)
-
-Stem policyStem = StemFinder.findByName(gs, "app:mfa:security", true)
-ArrayList<String> myServiceActionIds = [
- 'policyGroupCreate',
- 'policyGroupType',
- 'policyGroupAllowGroupCreate',
- 'allowIntermediatgeGroupType',
- //'policyGroupAllowManualGroupCreate',
- //'policyGroupAddManualToAllow',
- //'allowManualGroupType',
- 'policyGroupDenyGroupCreate',
- 'denyIntermediatgeGroupType',
- 'policyGroupLockoutGroup_0',
- //'policyGroupDenyManualGroupCreate',
- //'policyGroupAddManualToDeny',
- //'denyManualGroupType',
-]
-
-HelperMethods.newPolicyTemplate(policyStem,
+HelperMethods.newPolicyTemplate(
+ "app:mfa:security",
"mfa_opt_in_access",
"mfa_opt_in_access",
"Users with opt-in privileges",
- myServiceActionIds
-)
+ null,
+ null)
+
Group mfaOptInAllowSec = GroupFinder.findByName(gs, "app:mfa:security:mfa_opt_in_access_allow", true)
["ref:role:emp:staff", "ref:role:emp:faculty", "ref:student:students"].each {