grouper 2.4a64 101/201 updates

base/Dockerfile

@@ -1,7 +1,7 @@
 FROM tier/shib-idp:3.4.3_20190201 as idp
 
 # Grouper version for the entire GTE
-FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
+FROM tier/grouper:2.4.0-a64-u38-w6-p6-20190612-rc1
 
 # Disable docker HEALTHCHECK inherited from tier/shib-sp
 HEALTHCHECK NONE

base/container_files/conf/grouper.properties

@@ -23,3 +23,33 @@ groups.wheel.group                    = etc:sysadmingroup
 # Used to allow Include Exclude groups
 grouperIncludeExclude.use = true
 grouperIncludeExclude.requireGroups.use = true
+
+##################################
+## Lockout groups.  Could be used for other things, but used for policy group templates at least
+## if there is no allowed group, then anyone could use it
+##################################
+
+# group name of a lockout group
+# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"}
+grouper.lockoutGroup.name.0 = ref:iam:global_deny
+
+# allowed to use this lockout group.  If not configured, anyone could use
+# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"}
+# grouper.lockoutGroup.allowedToUse.0 = ref:lockoutCanUse
+
+##################################
+## Require groups.  Could be used for other things, but used for policy group templates at least
+## if there is no allowed group, then anyone could use it
+##################################
+
+# group name of a require group
+# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
+grouper.requireGroup.name.0 = ref:iam:active
+
+# group name of a require group
+# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
+grouper.requireGroup.name.0 = ref:employee:fac_staff
+
+# allowed to use this require group.  If not configured, anyone could use
+# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.requireGroup\\.\\d+$"}
+# grouper.requireGroup.allowedToUse.0 = ref:activeCanUse

docs/201/201.2.rst

@@ -68,13 +68,6 @@ create a new structure for our VPN service policy.
 
 .. figure:: ../figures/201-new-vpn-policy.png
 
-TODO: Steps 5 through 8 should be replaced with policy template when ready
-
-5. Create `app:vpn:vpn_access`.
-6. Create `app:vpn:vpn_allow`.
-7. Create `app:vpn:vpn_deny`.
-8. Make `vpn_access` a composite of `vpn_allow` minus `vpn_deny`.
-
 -------------------------------------------------------------------
 Exercise 201.2.2 Create digital policy from natural language policy
 -------------------------------------------------------------------
@@ -83,8 +76,8 @@ The natural language policy is "all faculty and staff have access to vpn,
 unless denied by CISO or the account is in a closure state".  Reference groups
 are already available.
 
-#. Add `ref:employee:fac_staff` to `vpn_allow`.
-#. Add `ref:security:locked_by_ciso` to `vpn_deny`.
+#. Add `ref:employee:fac_staff` to `vpn_access_allow`.
+#. Add `ref:security:locked_by_ciso` to `vpn_access_deny`.
 #. Add `ref:iam:closure` to `vpn_deny`.
 #. Review the `vpn_access` policy definition
    (vpn_access -> More actions -> Visualization)
@@ -106,7 +99,7 @@ account is in a closure state".
 
 .. figure:: ../figures/201-jsmith-trace.png
 
-4. View the audit log on `vpn_allow`. (vpn_allow -> More actions -> View audit
+4. View the audit log on `vpn_access_allow`. (vpn_access_allow -> More actions -> View audit
    log)
 
 .. figure:: ../figures/201-vpn-allow-audit.png
@@ -125,7 +118,7 @@ controlled by security groups in `app:vpn:security`. Security groups are
 essentially policy groups for Grouper access. Review the default privileges on
 `vpn_allow`.
 
-#. Naviage to `ref:app:vpn:service:policy:vpn_allow`.
+#. Naviage to `ref:app:vpn:service:policy:vpn_access_allow`.
 #. Click on the Privileges tab.
 
 .. figure:: ../figures/201-vpn-allow-privileges.png

docs/201/201.3.rst

@@ -73,7 +73,7 @@ Exercise 201.3.1 Create app folder for eduPersonAffiliation values
 
 .. figure:: ../figures/201-eduPersonAffiliation-app-template.png
 
-#. Create the following policy groups in
+#. Create the following groups in
    `app:eduPersonAffiliation:service:policy:`
 
 * `ePA_student`
@@ -118,19 +118,22 @@ Exercise 201.3.4 Configure PSPNG to reflect ePA values to LDAP
 --------------------------------------------------------------
 
 #. Configure PSPNG to sync group membership to LDAP values for
-   **eduPersonAffiliation**.
+   **eduPersonAffiliation**. The following is already configured for you in
+   grouper-loader.properties.
 
    .. literalinclude:: examples/201-3-4.pspng-epa.grouper-loader.properties
         :language: properties
         :caption: grouper-loader.properties
         :linenos:
 
 #. Assign PSPNG *provision_to* attribute to `ePA_member` with a value of
-   **pspng_affiliations**.
+   **pspng_affiliations**. (ePA_member -> More actions -> Attribute assigments
+   -> + Assign attribute -> `etc:pspng:provision_to` -> Save) (provision_to ->
+   Actions -> Add value -> `pspng_affiliations` -> Submit)
 
 .. figure:: ../figures/201-ePA-pspng.png
 
-3. Review and "Run job now" the PSPNG affiliations change log consumer daemon
+3. Review and execute "Run job now" for the PSPNG affiliations change log consumer daemon
    job (Miscellaneous -> All daemon jobs)
 
 .. figure:: ../figures/201-ePA-pspng-run.png
@@ -149,7 +152,8 @@ the demo SP. The relevant configuration is below:
     :emphasize-lines: 9
     :linenos:
 
-1. Log in to https://localhost:8443/app with username `aclark706` and password `password`.
+1. Open a private browser, and log in to https://localhost:8443/app with
+   username `aclark706` and password `password`.
 
 .. figure:: ../figures/201-ePA-attribute-release.png
 

docs/201/201.4.rst

@@ -60,8 +60,8 @@ Exercise 201.4.2 Add reference groups to policy
 access to the wiki. The natural language policy is, "All students have access
 to the student wiki, unless they are in the global deny group".
 
-#. Add `ref:student:students` to `app:wiki:service:policy:wiki_allow`.
-#. Add `ref:iam:global_deny` to `app:wiki:service:policy:wiki_deny`.
+#. Add `ref:student:students` to `app:wiki:service:policy:wiki_user_allow`.
+#. `ref:iam:global_deny` was added to `wiki_user_deny` automatically by the template.
 #. Review policy defintion (wiki_user -> More -> Visualization)
 
 .. figure:: ../figures/201-wiki-policy.png
@@ -76,7 +76,7 @@ Exercise 201.4.3 Configure PSPNG to provision wiki_user to eduPersonEntitlement
 .. figure:: ../figures/201-wiki-user-pspng.png
 
 2. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki
-   and review in LDAP.  The relevent configuration is below:
+   and review in LDAP.  The following has already been configured in grouper-loader.properties:
 
    .. literalinclude:: examples/201-4-4.pspng-epe.grouper-loader.properties
         :language: properties
@@ -103,7 +103,7 @@ is below:
     :emphasize-lines: 17
     :linenos:
 
-1. Open a new browser to https://localhost:8443/app
+1. Open a new private browser to https://localhost:8443/app
 2. Log in with username `aclark706` and password `password`
 3. Check eduPersonEntitlement value
 

docs/201/201.5.rst

@@ -30,7 +30,7 @@ defined at the target service. The policy indicating which subjects are mapped
 to application roles (permissions sets) can be attribute based, a simple access
 control list, or some combination of both.
 
-In AC3, the policy adminstration point is split between Grouper and the target
+In ACM3, the policy adminstration point is split between Grouper and the target
 service. Policy decision point and policy enforcement point are with the target
 service.
 

ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh

@@ -7,6 +7,9 @@ addRootStem("app", "app");
 addRootStem("org", "org");
 addRootStem("test", "test");
 
+addStem("ref", "iam", "iam");
+addGroup("ref:iam", "active", "active");
+
 // loader job for class year groups :ref:student:class2019, etc.
 addGroup("etc","studentTermLoader", "studentTermLoader");
 groupAddType("etc:studentTermLoader", "grouperLoader");
@@ -208,7 +211,6 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper
 attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
 "Subjects denied access by CISO");
 
-addStem("ref", "iam", "iam")
 closure = addGroup("ref:iam", "closure", "closure")
 AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
 attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");

ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh

@@ -7,6 +7,9 @@ addRootStem("app", "app");
 addRootStem("org", "org");
 addRootStem("test", "test");
 
+addStem("ref", "iam", "iam");
+addGroup("ref:iam", "active", "active");
+
 // loader job for class year groups :ref:student:class2019, etc.
 addGroup("etc","studentTermLoader", "studentTermLoader");
 groupAddType("etc:studentTermLoader", "grouperLoader");
@@ -208,7 +211,6 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper
 attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
 "Subjects denied access by CISO");
 
-addStem("ref", "iam", "iam")
 closure = addGroup("ref:iam", "closure", "closure")
 AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
 attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");