Skip to content

Commit

Permalink
ex401.2.* generally complete
Browse files Browse the repository at this point in the history
  • Loading branch information
John Gasper committed Sep 20, 2018
1 parent 09dd519 commit a833bb5
Show file tree
Hide file tree
Showing 17 changed files with 237 additions and 33 deletions.
7 changes: 7 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,18 @@ Current tags:
- ex401.1.3
- ex401.1.4
- ex401.1.5
- ex401.1.6
- ex401.1.end
- ex401.2.1
- ex401.2.2
- ex401.2.3
- ex401.2.4
- ex401.2.5
- ex401.2.6
- ex401.2.7
- ex401.2.8
- ex401.2.9
- ex401.2.end

Browse to `https://localhost/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost/app`.

Expand Down
15 changes: 15 additions & 0 deletions ex401/class-files/AthleticDeptartmentUsers.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
jdavis4
ldavis5
janderson13
rdavis16
cthompson28
ahenderson36
amorrison42
pthompson61
bsmith65
jlangenberg100
nscott103
jprice108
jvales117
mmartinez133
mgrady137
35 changes: 35 additions & 0 deletions ex401/class-files/Non-facultyBannerUsers.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
nscott103
jprice108
mnielson143
mvales154
wclark159
kthompson169
athompson183
sanderson191
jlangenberg194
jwhite222
rwilliams230
pwilliams242
lprice328
dgrady331
edoe348
svales366
mhenderson377
mlewis390
mroberts391
llopez398
amorrison406
janderson459
wmartinez487
lvales502
cvales514
jprice523
rvales544
iprice563
bmartinez592
jnielson598
amartinez605
dprice607
mbutler632
lbutler643
dmartinez657
78 changes: 68 additions & 10 deletions ex401/data-generator.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@

var departments = ["Computer Science", "Engineering", "Business", "Accounting",
"Law", "Physical Education", "Language Arts", "Financial Aid",
"Information Technology", "Advising", "Purchasing", "Account Payable"
"Information Technology", "Advising", "Purchasing", "Accounts Payable"
];

var affiliations = ["student", "staff", "faculty", "alum", "community"];
Expand Down Expand Up @@ -94,18 +94,23 @@

//Add additional randomized characteristics sets here;
//keep the ordering the same to maintain deterministic capabilities between runs

//Assign departments
for (index = 0; index < people.length; ++index) {
people[index]["department"] = departments[rng.nextRange(0, departments.length)];
}

//Assign affiliations
for (index = 0; index < people.length; ++index) {
people[index]["affiliations"] = selectUnduplicated(affiliations, 2);
}

//Assign titles/primary affiliations
for (index = 0; index < people.length; ++index) {
people[index]["title"] = rankAffiliations(people[index].affiliations);
}

//Create Course Enrollments
for (index = 0; index < people.length; ++index) {
people[index]["courses"] = [];
if (people[index]["affiliations"].indexOf("student") > -1
Expand All @@ -114,14 +119,22 @@
}
}

//Create vpn_users
for (index = 0; index < people.length; ++index) {
people[index].vpn_user = people[index].affiliations.indexOf('staff') >= 0 || people[index].affiliations.indexOf('faculty') >= 0 ?
(rng.nextFloat() > 0.20): //grab most faculty and staff
(rng.nextFloat() > 0.1): //grab most faculty and staff
rng.nextFloat() > 0.9; // and only a few others
}

//Create vpn users ldap group
makeQuestionableVpnUsersLists(people);

//Create Athletics users
makeAthleticsUsersLists(people);

//Create lists of non-faculty (staff) banner users
makeNonFacultyBannerUsersLists(people);

console.log(people);

//Generate Output
Expand Down Expand Up @@ -170,9 +183,6 @@
output += "eduPersonAffiliation: " + person.affiliations[i] + "\n";
}

/*if (person.vpn_user == 1) {}
output += "member: cn=vpn_users,ou=Groups,dc=internet2,dc=edu\n";
*/
return output + "\n";
}

Expand Down Expand Up @@ -303,9 +313,44 @@
}
}

document.getElementById('csv').value = csvOutput;
document.getElementById('gsh').value = gshOutput;
document.getElementById('vpnCsv').value = csvOutput;
document.getElementById('vpnGsh').value = gshOutput;
}

function makeAthleticsUsersLists(people) {
var csvOutput = "";
var gshOutput = 'addGroup("app:mfa:ref", "athletics_dept", "athletics_dept");\n';
var sampleCount = 15;

for (i = 0; i < people.length && sampleCount > 0; i++) {
if (people[i].affiliations.indexOf('staff') >= 0 & rng.nextFloat() > 0.75) {
csvOutput = csvOutput + people[i].uid + "\n";
gshOutput = gshOutput + 'addMember("app:mfa:ref:athletics_dept","' + people[i].uid + '");\n';
sampleCount--;
}
}

document.getElementById('athleticsCsv').value = csvOutput;
document.getElementById('athleticsGsh').value = gshOutput;
}

function makeNonFacultyBannerUsersLists(people) {
var csvOutput = "";
var gshOutput = 'addGroup("app:mfa:ref", "NonFacultyBannerINB", "NonFacultyBannerINB");\n';
var sampleCount = 35;

for (i = 100; i < people.length && sampleCount > 0; i++) {
if (people[i].affiliations.indexOf('staff') >= 0 & rng.nextFloat() > 0.75) {
csvOutput = csvOutput + people[i].uid + "\n";
gshOutput = gshOutput + 'addMember("app:mfa:ref:NonFacultyBannerINB","' + people[i].uid + '");\n';
sampleCount--;
}
}

document.getElementById('bannerCsv').value = csvOutput;
document.getElementById('bannerGsh').value = gshOutput;
}

</script>
</head>

Expand All @@ -318,16 +363,29 @@
</form>

<p>
Ldif: <br /><textarea cols="100" rows="15" id="ldif"></textarea><br />
Ldif: <br /><textarea cols="100" rows="15" id="ldif"></textarea><br />
</p>
<p>
Sql: <br /><textarea cols="100" rows="15" id="sql"></textarea> <br />
</p>
<p>
Questionable VPN Users CSV: <br /><textarea cols="100" rows="15" id="csv"></textarea> <br />
Questionable VPN Users CSV: <br /><textarea cols="100" rows="15" id="vpnCsv"></textarea> <br />
</p>
<p>
Questionable VPN Users GSH: <br /><textarea cols="100" rows="15" id="vpnGsh"></textarea> <br />
</p>

<p>
Athletic Dept CSV: <br /><textarea cols="100" rows="15" id="athleticsCsv"></textarea> <br />
</p>
<p>
Atheltics Dept GSH: <br /><textarea cols="100" rows="15" id="athleticsGsh"></textarea> <br />
</p>
<p>
Non-faculty Banner Users CSV: <br /><textarea cols="100" rows="15" id="bannerCsv"></textarea> <br />
</p>
<p>
Questionable VPN Users GSH: <br /><textarea cols="100" rows="15" id="gsh"></textarea> <br />
Non-faculty Banner Users GSH: <br /><textarea cols="100" rows="15" id="bannerGsh"></textarea> <br />
</p>
</body>

Expand Down
15 changes: 15 additions & 0 deletions ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,18 @@ setGroupAttr("etc:rolesLoader", "grouperLoaderScheduleType", "CRON");
setGroupAttr("etc:rolesLoader", "grouperLoaderQuartzCron", "0 * * * * ?");
setGroupAttr("etc:rolesLoader", "grouperLoaderQuartzCron", "0 * * * * ?");
setGroupAttr("etc:rolesLoader", "grouperLoaderQuery", "select distinct id as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID, CONCAT('ref:', role) as GROUP_NAME from HR_PEOPLE_ROLES");

group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save();
group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(businessCategory=*)");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "businessCategory");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${subjectAttributes["subjectId"]}');
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), 'ref:dept:${groupAttribute}');
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupDisplayNameExpressionName(), '${groupAttribute}');
1 change: 1 addition & 0 deletions ex401/ex401.1.1/container_files/seed-data/users.ldif
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17963,3 +17963,4 @@ member: uid=tjohnson985,ou=people,dc=internet2,dc=edu
member: uid=elopez987,ou=people,dc=internet2,dc=edu
member: uid=kvales993,ou=people,dc=internet2,dc=edu
member: uid=cgasper998,ou=people,dc=internet2,dc=edu

2 changes: 1 addition & 1 deletion ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=vpn_users)");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups,dc=internet2,dc=edu");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "member");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), "\${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}");
Expand Down
12 changes: 6 additions & 6 deletions ex401/ex401.2.3/container_files/grouper-loader.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
#note the URL should start with ldap: or ldaps: if it is SSL.
#It should contain the server and port (optional if not default), and baseDn,
#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu
ldap.demo.url = ldap://localhost:389/

#optional, if authenticated
ldap.demo.user = cn=root,dc=internet2,dc=edu
Expand Down Expand Up @@ -79,12 +79,12 @@ changeLog.consumer.pspng_groupOfNames.ldapPoolName = demo
changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()}
changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups
changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu
changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames
changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name}))
changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass
changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people
changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_groupOfNames.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true

Expand All @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_entitlements.ldapPoolName = demo
changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = urn:mace:example.edu:${group.extension}
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.extension.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=urn:mace:example.edu:
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
11 changes: 8 additions & 3 deletions ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,9 @@
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://tier.internet2.edu/mfa/enabled" />
c:classRef="https://refeds.org/profile/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://tier.internet2.edu/mfa/enabled" />
c:method="https://refeds.org/profile/mfa" />
</list>
</property>
</bean>
Expand All @@ -136,7 +136,7 @@
The list below almost certainly requires changes, and should generally be the
union of any of the separate factors you combine in your particular MFA flow
rules. The example corresponds to the example in mfa-authn-config.xml that
combines IPAddress with Password.
combines GaspoMFA with Password.
-->
<property name="supportedPrincipals">
<list>
Expand All @@ -148,6 +148,11 @@
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="https://refeds.org/profile/mfa" />

</list>
</property>
</bean>
Expand Down
2 changes: 1 addition & 1 deletion ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@
// Check for an attribute that authorizes use of first factor.
attribute = resCtx.getResolvedIdPAttributes().get("eduPersonEntitlement");
valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
if (attribute != null && attribute.getValues().contains(new valueType("urn:mace:example.edu:mfa_enabled"))) {
if (attribute != null && attribute.getValues().contains(new valueType("http://tier.internet2.edu/mfa/enabled"))) {
nextFlow = "authn/Gaspo";
}
Expand Down
28 changes: 24 additions & 4 deletions ex401/ex401.2.5/container_files/seed-data/bootstrap.gsh
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,31 @@
gs = GrouperSession.startRootSession();


addStem("ref", "dept", "dept");
addGroup("ref:dept", "its", "its");
addMember("app:mfa:mfa_enabled_allow", "ref:dept:its");
addGroup("ref:dept", "Information Technology", "Information Technology");
addMember("app:mfa:mfa_enabled_allow", "ref:dept:Information Technology");

addGroup("app:mfa:ref", "mfa_bypass", "mfa_bypass");
addGroup("app:mfa:ref", "athletics", "athletics");

addMember("app:mfa:mfa_enabled_deny", "app:mfa:ref:mfa_bypass");
addMember("app:mfa:mfa_enabled_allow", "app:mfa:ref:athletics");


addGroup("app:mfa:ref", "athletics_dept", "athletics_dept");
addMember("app:mfa:ref:athletics_dept","jdavis4");
addMember("app:mfa:ref:athletics_dept","ldavis5");
addMember("app:mfa:ref:athletics_dept","janderson13");
addMember("app:mfa:ref:athletics_dept","rdavis16");
addMember("app:mfa:ref:athletics_dept","cthompson28");
addMember("app:mfa:ref:athletics_dept","ahenderson36");
addMember("app:mfa:ref:athletics_dept","amorrison42");
addMember("app:mfa:ref:athletics_dept","pthompson61");
addMember("app:mfa:ref:athletics_dept","bsmith65");
addMember("app:mfa:ref:athletics_dept","jlangenberg100");
addMember("app:mfa:ref:athletics_dept","nscott103");
addMember("app:mfa:ref:athletics_dept","jprice108");
addMember("app:mfa:ref:athletics_dept","jvales117");
addMember("app:mfa:ref:athletics_dept","mmartinez133");
addMember("app:mfa:ref:athletics_dept","mgrady137");


addMember("app:mfa:mfa_enabled_allow", "app:mfa:ref:athletics_dept");
Loading

0 comments on commit a833bb5

Please sign in to comment.