From ac5c0a04d2e080af0c356946703a4a295c7f5789 Mon Sep 17 00:00:00 2001 From: John Gasper Date: Thu, 12 Jul 2018 16:34:14 -0700 Subject: [PATCH] proof of concept entitlement attributes; more image name clean-up --- README.md | 4 ++-- .../container_files/httpd/grouper-testapp.conf | 2 +- base/container_files/seed-data/users.ldif | 2 +- .../shibboleth-idp/conf/idp.properties | 2 +- exercise1/Dockerfile | 2 +- exercise2/Dockerfile | 2 +- full-demo/Dockerfile | 2 +- full-demo/container_files/demo.gsh | 18 ++++++++++++++++-- .../container_files/grouper-loader.properties | 13 +++++++++++++ manualBuild.sh | 8 ++++---- 10 files changed, 41 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 0f68184..4c952f7 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ A set of Grouper images that are used during I2/TIER training. ``` docker run -d -p 80:80 -p 389:389 -p 443:443 -p 3306:3306 -p 4443:4443 \ - --name grouper-demo tier/grouper_training_full_demo:latest + --name grouper-demo tier/grouper-training-env:full_demo ``` Browse to `https://localhost/grouper` @@ -16,7 +16,7 @@ Browse to `https://localhost/grouper` ``` docker run -d -p 80:80 -p 389:389 -p 443:443 -p 3306:3306 -p 4443:4443 \ - --name grouper tier/grouper_training_ex###:latest + --name grouper tier/grouper-training-env:exXXX ``` Browse to `https://localhost/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost/app`. diff --git a/base/container_files/httpd/grouper-testapp.conf b/base/container_files/httpd/grouper-testapp.conf index 2cc9891..3ecb6b5 100644 --- a/base/container_files/httpd/grouper-testapp.conf +++ b/base/container_files/httpd/grouper-testapp.conf @@ -14,7 +14,7 @@ AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequireSession on - Require shib-attr eduPersonEntitlement admin superuser + Require shib-attr eduPersonEntitlement urn:mace:example.edu:admin urn:mace:example.edu:superUser ErrorDocument 401 /app/accessError.html DirectoryIndex index.html diff --git a/base/container_files/seed-data/users.ldif b/base/container_files/seed-data/users.ldif index 7f6e648..4844edf 100644 --- a/base/container_files/seed-data/users.ldif +++ b/base/container_files/seed-data/users.ldif @@ -41,7 +41,7 @@ uid: banderson sn: Anderson cn: Bob Anderson userPassword: password -eduPersonEntitlement: admin +eduPersonEntitlement: urn:mace:example.edu:admin dn: cn=users,ou=Groups,dc=internet2,dc=edu objectClass: groupOfUniqueNames diff --git a/base/container_files/shibboleth-idp/conf/idp.properties b/base/container_files/shibboleth-idp/conf/idp.properties index 4396f49..ca9797b 100644 --- a/base/container_files/shibboleth-idp/conf/idp.properties +++ b/base/container_files/shibboleth-idp/conf/idp.properties @@ -5,7 +5,7 @@ idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, / idp.entityID= https://idptestbed/idp/shibboleth # Set the scope used in the attribute resolver for scoped attributes -idp.scope= example.org +idp.scope= example.edu # General cookie properties (maxAge only applies to persistent cookies) #idp.cookie.secure = false diff --git a/exercise1/Dockerfile b/exercise1/Dockerfile index ca3ef88..fcdbb24 100644 --- a/exercise1/Dockerfile +++ b/exercise1/Dockerfile @@ -1,4 +1,4 @@ -FROM tier/grouper_training_env:base +FROM tier/grouper-training-env:base LABEL author="tier-packaging@internet2.edu " \ Vendor="TIER" \ diff --git a/exercise2/Dockerfile b/exercise2/Dockerfile index 1eabc12..0ac186b 100644 --- a/exercise2/Dockerfile +++ b/exercise2/Dockerfile @@ -1,4 +1,4 @@ -FROM tier/grouper_training_env:base +FROM tier/grouper-training-env:base LABEL author="tier-packaging@internet2.edu " \ Vendor="TIER" \ diff --git a/full-demo/Dockerfile b/full-demo/Dockerfile index be6898a..16ed46b 100644 --- a/full-demo/Dockerfile +++ b/full-demo/Dockerfile @@ -1,4 +1,4 @@ -FROM tier/grouper_training_env:base +FROM tier/grouper-training-env:base LABEL author="tier-packaging@internet2.edu " \ Vendor="TIER" \ diff --git a/full-demo/container_files/demo.gsh b/full-demo/container_files/demo.gsh index abaa8c3..785912c 100644 --- a/full-demo/container_files/demo.gsh +++ b/full-demo/container_files/demo.gsh @@ -221,12 +221,26 @@ addMember("app:banner:banner_user_allow", "banderson"); # Auto create the PSPNG attributes edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_groupOfUniqueNames"); -#Assign the PSPNG attributes + AttributeDef pspngAttributeDef = AttributeDefFinder.findByName("etc:pspng:provision_to_def", true); AttributeDefName pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true); - AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); + +#Assign the PSPNG attribute for the standard groups attributeAssignSave.assignAttributeDefName(pspngAttribute); attributeAssignSave.assignOwnerStem(testStem); attributeAssignSave.addValue("pspng_groupOfUniqueNames"); attributeAssignSave.save(); + +#Assign the PSPNG attribute for the entitlements +AttributeAssignSave attributeAssignSave2 = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave2.assignAttributeDefName(pspngAttribute); +attributeAssignSave2.assignOwnerGroup(GroupFinder.findByName(gs, "app:vpn:vpn_user", true)); +attributeAssignSave2.addValue("pspng_entitlements"); +attributeAssignSave2.save(); + +attributeAssignSave2 = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave2.assignAttributeDefName(pspngAttribute); +attributeAssignSave2.assignOwnerGroup(GroupFinder.findByName(gs, "app:banner:banner_user", true)); +attributeAssignSave2.addValue("pspng_entitlements"); +attributeAssignSave2.save(); diff --git a/full-demo/container_files/grouper-loader.properties b/full-demo/container_files/grouper-loader.properties index 6a59f36..fbf9c2b 100644 --- a/full-demo/container_files/grouper-loader.properties +++ b/full-demo/container_files/grouper-loader.properties @@ -88,3 +88,16 @@ changeLog.consumer.pspng_groupOfUniqueNames.groupCreationLdifTemplate = dn: cn=$ changeLog.consumer.pspng_groupOfUniqueNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfUniqueNames.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_groupOfUniqueNames.grouperIsAuthoritative = true +changeLog.consumer.pspng_groupOfUniqueNames.provisionedAttributeName = eduPersonEntitlement +changeLog.consumer.pspng_groupOfUniqueNames.provisionedAttributeValueFormat = g:${group.name} + + +changeLog.consumer.pspng_entitlements.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim +changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner +changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? +changeLog.consumer.pspng_entitlements.ldapPoolName = demo +changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = urn:mace:example.edu:${group.extension} +changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu +changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} +changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=urn:mace:example.edu: diff --git a/manualBuild.sh b/manualBuild.sh index 8c710d9..b4de140 100755 --- a/manualBuild.sh +++ b/manualBuild.sh @@ -1,7 +1,7 @@ -docker build --tag=tier/grouper_training_env:base base/ \ -&& docker build --tag=tier/grouper_training_env:ex1 exercise1 \ -&& docker build --tag=tier/grouper_training_env:ex2 exercise2 \ -&& docker build --tag=tier/grouper_training_env:full_demo full-demo +docker build --tag=tier/grouper-training-env:base base/ \ +&& docker build --tag=tier/grouper-training-env:ex1 exercise1 \ +&& docker build --tag=tier/grouper-training-env:ex2 exercise2 \ +&& docker build --tag=tier/grouper-training-env:full_demo full-demo if [[ "$OSTYPE" == "darwin"* ]]; then say build complete