Changes post-May 2022

* GROUPER_WS_GROUPER_AUTH=true
* subject source changes: wildcard uid in search; sort by last, first
* IDP don't encrypt assertion

TODO.md

@@ -2,14 +2,13 @@ TODO
 =====
 
 
+20220X
+- look for both 202205-POST (./gte) and 202205 (Jenkinsfile etc) when changing image versions
+
 202205
 -------
 - Once upgrading to 2.6.9, can remove gsh code marked "Temporary fix for GRP-4024" from bootstrap.gsh files
 - Bug in 2.6.8, attr_read isn't enough to see attributes; need admin privileges on the object to see the option in the menu
-- 301.6 and 301.7 slides need to be finished
-- 301.8 view privilege on the App folder not enough for kjenkins to view; needs create priv (make a JIRA for this)
-- web services in the GTE is protected by sso, so inaccessible by WS clients
-- xmlstarlet is not in the Amazon Linux 2 standard images but is in the EPEL repository
 - Somehow add docker-compose to the vms so we don't have to download it
 
 

base/Dockerfile

@@ -93,7 +93,8 @@ RUN chown -R tomcat /opt/shibboleth-idp/ \
 RUN chown -R tomcat:tomcat /opt/grouper/grouperWebapp
 RUN chown -R tomcat:tomcat /opt/tomee
 
-ENV GROUPER_START_DELAY_SECONDS=10
+ENV GROUPER_START_DELAY_SECONDS=10 \
+    GROUPER_WS_GROUPER_AUTH=true
 
 # note 5005 is for remote Java debugging
 EXPOSE 389 3306 8080 5005

base/container_files/conf/subject.properties

@@ -7,7 +7,8 @@ subjectApi.source.ldap.param.SubjectID_AttributeType.value = employeeNumber
 subjectApi.source.ldap.param.Name_AttributeType.value = cn
 subjectApi.source.ldap.param.Description_AttributeType.value = description
 subjectApi.source.ldap.param.emailAttributeName.value = mail
-subjectApi.source.ldap.numberOfAttributes = 8
+subjectApi.source.ldap.param.netId.value = uid
+subjectApi.source.ldap.numberOfAttributes = 9
 subjectApi.source.ldap.attribute.0.name = uid
 subjectApi.source.ldap.attribute.0.subjectIdentifier = true
 subjectApi.source.ldap.attribute.0.translationType = sourceAttributeSameAsSubjectAttribute
@@ -36,7 +37,12 @@ subjectApi.source.ldap.attribute.7.name = description
 subjectApi.source.ldap.attribute.7.formatToLowerCase = false
 subjectApi.source.ldap.attribute.7.translation = ${source_attribute__cn + ' (' + source_attribute__uid + ')'}
 subjectApi.source.ldap.attribute.7.translationType = translation
-subjectApi.source.ldap.search.search.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%)(cn=*%TERM%*))(objectclass=eduPerson))
+subjectApi.source.ldap.attribute.8.name = sortAttribute0
+subjectApi.source.ldap.attribute.8.formatToLowerCase = true
+subjectApi.source.ldap.attribute.8.translation = ${subject_attribute__sn + ',' + subject_attribute__givenname}
+subjectApi.source.ldap.attribute.8.translationType = translation
+subjectApi.source.ldap.attribute.8.internal = true
+subjectApi.source.ldap.search.search.param.filter.value = (&(|(uid=%TERM%*)(employeeNumber=%TERM%*)(cn=*%TERM%*))(objectclass=eduPerson))
 
 #todo ??? not created by UI: subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu
 #todo ??? not created by UI: subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE
@@ -53,7 +59,7 @@ subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(
 
 subjectApi.source.ldap.searchAttributeCount = 1
 subjectApi.source.ldap.searchAttribute.0.attributeName = searchAttribute0
-subjectApi.source.ldap.sortAttribute.0.attributeName = employeeNumber
+subjectApi.source.ldap.sortAttribute.0.attributeName = sortAttribute0
 subjectApi.source.ldap.sortAttributeCount = 1
 
 subjectApi.source.ldap.param.stringToFindOnCheckConfig.value = Dawn Gilmore

base/container_files/shibboleth-idp/metadata/grouper-sp.xml

@@ -1,38 +1,9 @@
-<!--
-This is example metadata only. Do *NOT* supply it as is without review,
-and do *NOT* provide it in real time to your partners.
- -->
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_57114916ca68943103854cb57a3a3b1c7c38bb81" entityID="https://grouperdemo/shibboleth">
 
-  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
-    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
-  </md:Extensions>
-
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost/Shibboleth.sso/Login"/>
-      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost/Shibboleth.sso/Login" index="1"/>
-    </md:Extensions>
     <md:KeyDescriptor>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName>sp.example.org</ds:KeyName>
         <ds:X509Data>
-          <ds:X509SubjectName>CN=sp.example.org,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US</ds:X509SubjectName>
           <ds:X509Certificate>MIIDPDCCAiQCCQDNZe8r0hVtuTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV
 UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50
 ZXJuZXQyL1RJRVIxFzAVBgNVBAMMDnNwLmV4YW1wbGUub3JnMB4XDTE3MDkyMjE5
@@ -51,28 +22,11 @@ GdYrH2iSP8WX+Yy7JH5uqkfwWzEntWHJdey39rCWKAUCCB35+/2b4N53Qmlv2+ug
 CpNJYFtXInd4YMmM5HjXLyoWXtjnKiwDqYUCeYPSwAajnCqRqRXUX0gYTFDRiwRP
 HbmO9We0nqoc/71nikmGGoSRMO/zWVMFjwmAx1fGiWdU61sjGX8sHifzmVyJVEBI
 Z75p+JrWYZJYrx/vpWxL8g==
-</ds:X509Certificate>
+          </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
-      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/Shibboleth.sso/Artifact/SOAP" index="1"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/Shibboleth.sso/SLO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/Shibboleth.sso/SLO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/Shibboleth.sso/SLO/POST"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/Shibboleth.sso/SLO/Artifact"/>
     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/Shibboleth.sso/SAML2/POST" index="1"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:8443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/Shibboleth.sso/SAML2/Artifact" index="3"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost:8443/Shibboleth.sso/SAML2/ECP" index="4"/>
   </md:SPSSODescriptor>
 
-</md:EntityDescriptor>
+</md:EntityDescriptor>

ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh

@@ -530,6 +530,8 @@ def group = new GroupSave(gs).assignName("ref:role:all_facstaff").assignDisplayE
     group.addMember(s, false)
 }
 
+assignObjectTypeForGroup(group, "ref", "HR, IAM", "Combines the All Faculty plus All Staff reference groups")
+
 
 /***** Schedule jobs is an upgrade task for 2.5.55 ****/
 

gte

@@ -1,7 +1,7 @@
 #! /bin/bash
 
 REPOSITORY=tier/gte
-VERSION_TAG=202205
+VERSION_TAG=202205-post
 
 EXTRA_ARGS=