From 89b0c2f1803e65d51c28a2b8cd607c68f06265fc Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Mon, 8 Oct 2018 13:56:45 -0700
Subject: [PATCH] Finalized 201.4

---
 README.md                                     |  2 +-
 ex201/ex201.4.end/Dockerfile                  |  1 +
 .../container_files/attribute-filter.xml      | 66 +++++++++++++++++++
 .../container_files/seed-data/bootstrap.gsh   |  9 +--
 4 files changed, 73 insertions(+), 5 deletions(-)
 create mode 100644 ex201/ex201.4.end/container_files/attribute-filter.xml

diff --git a/README.md b/README.md
index 9004d71..b249b3b 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,7 @@ Current tags:
 - ex401.4.1
 - ex401.4.end
 
-Browse to `https://localhost:8443/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost/app`.
+Browse to `https://localhost:8443/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost:8443/app`.
 
 # Users
 - `banderson`/`password`: Grouper Administrator
diff --git a/ex201/ex201.4.end/Dockerfile b/ex201/ex201.4.end/Dockerfile
index a0ec2b2..9e0e4f3 100644
--- a/ex201/ex201.4.end/Dockerfile
+++ b/ex201/ex201.4.end/Dockerfile
@@ -9,6 +9,7 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
 ENV USERTOKEN=ex201.4.end
 
 COPY container_files/seed-data/ /seed-data/
+COPY container_files/attribute-filter.xml /opt/shibboleth-idp/conf/
 
 RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
     && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
diff --git a/ex201/ex201.4.end/container_files/attribute-filter.xml b/ex201/ex201.4.end/container_files/attribute-filter.xml
new file mode 100644
index 0000000..b214d12
--- /dev/null
+++ b/ex201/ex201.4.end/container_files/attribute-filter.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+    
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <!-- Release some attributes to an SP. -->
+
+    <AttributeFilterPolicy id="grouper">
+        <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
+
+        <AttributeRule attributeID="cn">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="Value" value="http://sp.example.org/wiki" ignoreCase="true" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="employeeNumber">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+    </AttributeFilterPolicy>
+</AttributeFilterPolicyGroup>
diff --git a/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh
index 7f84f52..c713f52 100644
--- a/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh
+++ b/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh
@@ -6,9 +6,9 @@ addStem("app:wiki", "service", "service");
 addStem("app:wiki:service", "policy", "policy");
 
 addGroup("app:wiki:service:policy", "wiki_authorized", "wiki_authorized");
-addGroup("app:wiki:service:policy", "wiki_authorized", "wiki_authorized");
+addGroup("app:wiki:service:policy", "wiki_authorized_allow", "wiki_authorized_allow");
 addGroup("app:wiki:service:policy", "wiki_authorized_deny",  "wiki_authorized_deny");
-addComposite("app:wiki:service:policy:wiki_authorized", CompositeType.COMPLEMENT, "app:wiki:service:policy:wiki_authorized", "app:wiki:service:policy:wiki_authorized_deny");
+addComposite("app:wiki:service:policy:wiki_authorized", CompositeType.COMPLEMENT, "app:wiki:service:policy:wiki_authorized_allow", "app:wiki:service:policy:wiki_authorized_deny");
 
 //ex201.4.2
 addStem("app:wiki", "security", "security");
@@ -17,6 +17,7 @@ grantPriv("app:wiki:service", "app:wiki:security:wiki_admin", NamingPrivilege.ST
 
 //ex201.4.3
 addMember("app:wiki:service:policy:wiki_authorized_allow", "ref:student:students");
+addGroup("ref:iam", "global_deny", "global_deny");
 addMember("app:wiki:service:policy:wiki_authorized_deny", "ref:iam:global_deny");
 
 //ex201.4.4
@@ -36,7 +37,7 @@ attributeAssignSave.save();
 
 
 //ex201.4.5
-(nothing)
+//(nothing)
 
 //ex201.4.6
-(nothing)
\ No newline at end of file
+//(nothing)
\ No newline at end of file