201906 401.1 gte and content updates

docs/401/appendix.rst

@@ -2,71 +2,6 @@
 Appendix
 ========
 
-.. _apdx-401.1.4-auto-end-date:
-
--------------------------------
-401.1.4 Automatic End Date Rule
--------------------------------
-
-To configure the automatic rule end date on the access control list,
-`app:vpn:ref:vpn_adhoc` you must use the Grouper Shell (GSH) to run
-a short script.  To run GSH, you must connect to the GTE container
-that has the Grouper API installed:
-
-.. code-block:: bash
-
-   root# docker exec -it CONTAINER_NAME /bin/bash 
-   bash# cd bin
-   bash# gsh
-
-At this point you can paste in the following script:
-
-.. code-block:: groovy
-   :emphasize-lines: 1,3
-   :linenos:
-
-   numDays = 180;
-   actAs = SubjectFinder.findRootSubject();
-   vpn_adhoc = getGroups("app:vpn:ref:vpn_adhoc")[0];
-   attribAssign = vpn_adhoc.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
-   attribValueDelegate = attribAssign.getAttributeValueDelegate();
-   attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
-   attribValueDelegate.assignValue(RuleUtils.ruleRunDaemonName(), "F");
-   attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
-   attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name());
-   attribValueDelegate.assignValue(RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisGroupHasImmediateEnabledNoEndDateMembership.name());
-   attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name());
-   attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString());
-   attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T");
-
-.. _apdx-401.1.5-pit-query:
-
---------------------------------------
-401.1.5 Point-in-Time Membership Query
---------------------------------------
-
-.. code-block:: sql
-   :linenos:
-
-   SELECT 
-       gpm.SUBJECT_ID, 
-       gpg.NAME, 
-       FROM_UNIXTIME(gpmav.MEMBERSHIP_START_TIME / 1000000) start_time, 
-       FROM_UNIXTIME(gpmav.MEMBERSHIP_END_TIME / 1000000) end_time 
-   FROM grouper_pit_memberships_all_v gpmav 
-       INNER JOIN grouper_pit_groups gpg 
-           ON gpmav.owner_group_id = gpg.id 
-       INNER JOIN grouper_pit_members gpm 
-           ON gpmav.MEMBER_ID = gpm.id 
-       INNER JOIN grouper_pit_fields gpf 
-           ON gpmav.field_id = gpf.id
-   WHERE gpg.name = 'app:vpn:vpn_authorized' 
-   AND gpm.subject_type = 'person'
-   AND gpf.name = 'members'
-   ORDER BY gpmav.MEMBERSHIP_START_TIME DESC 
-   ;
-
-
 .. _apdx-401.2.5-future-memberships-query:
 
 --------------------------------

ex401/class-files/CisoQuestionalUsers.txt

@@ -13,3 +13,4 @@ mprice142
 mwilliams144
 lpeterson153
 mvales154
+bsmith458

ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh

@@ -6,14 +6,19 @@ addRootStem("app", "app");
 addRootStem("org", "org");
 addRootStem("test", "test");
 
-addGroup("etc","rolesLoader", "Roles Loader");
+addRootStem("401.1.1", "401.1.1")
+
+addStem("ref", "iam", "iam");
+addGroup("ref:iam", "global_deny", "global_deny");
+
+group = addGroup("etc","rolesLoader", "Roles Loader");
 groupAddType("etc:rolesLoader", "grouperLoader");
 setGroupAttr("etc:rolesLoader", "grouperLoaderDbName", "grouper");
 setGroupAttr("etc:rolesLoader", "grouperLoaderType", "SQL_GROUP_LIST");
 setGroupAttr("etc:rolesLoader", "grouperLoaderScheduleType", "CRON");
 setGroupAttr("etc:rolesLoader", "grouperLoaderQuartzCron", "0 * * * * ?");
-setGroupAttr("etc:rolesLoader", "grouperLoaderQuartzCron", "0 * * * * ?");
 setGroupAttr("etc:rolesLoader", "grouperLoaderQuery", "select distinct id as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID, CONCAT('ref:', role) as GROUP_NAME from HR_PEOPLE_ROLES");
+// loaderRunOneJob(group);
 
 group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save();
 group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
@@ -29,3 +34,4 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${subjectAttributes["subjectId"]}');
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), 'ref:dept:${groupAttribute}');
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupDisplayNameExpressionName(), '${groupAttribute}');
+// loaderRunOneJob(group);

ex401/ex401.1.3/container_files/seed-data/bootstrap.gsh

@@ -1,15 +1,19 @@
 gs = GrouperSession.startRootSession();
 
 addStem("app", "vpn", "vpn");
-addStem("app:vpn", "ref", "ref");
+addStem("app:vpn", "service", "service");
+addStem("app:vpn", "security", "security");
 
-addGroup("app:vpn:ref", "vpn_adhoc", "vpn_adhoc");
-addGroup("app:vpn", "vpn_authorized", "vpn_authorized");
-addGroup("app:vpn", "vpn_allow", "vpn_allow");
-addGroup("app:vpn", "vpn_deny", "vpn_deny");
+addStem("app:vpn:service", "ref", "ref")
+addStem("app:vpn:service", "policy", "policy")
 
-addMember("app:vpn:vpn_allow", "ref:faculty");
-addMember("app:vpn:vpn_allow", "ref:staff");
-addMember("app:vpn:vpn_allow", "app:vpn:ref:vpn_adhoc");
+addGroup("app:vpn:service:ref", "vpn_adhoc", "vpn_adhoc");
+addGroup("app:vpn:service:policy", "vpn_authorized", "vpn_authorized");
+addGroup("app:vpn:service:policy", "vpn_authorized_allow", "vpn_authorized_allow");
+addGroup("app:vpn:service:policy", "vpn_authorized_deny", "vpn_authorized_deny");
 
-addComposite("app:vpn:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:vpn_allow", "app:vpn:vpn_deny");
+addMember("app:vpn:service:policy:vpn_authorized_allow", "ref:faculty");
+addMember("app:vpn:service:policy:vpn_authorized_allow", "ref:staff");
+addMember("app:vpn:service:policy:vpn_authorized_allow", "app:vpn:service:ref:vpn_adhoc");
+
+addComposite("app:vpn:service:policy:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_authorized_allow", "app:vpn:service:policy:vpn_authorized_deny");

ex401/ex401.1.end/Dockerfile

@@ -1,5 +1,5 @@
 ARG VERSION_TAG
-FROM tier/gte:401.1.6-$VERSION_TAG
+FROM tier/gte:401.1.1-$VERSION_TAG
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       Vendor="TIER" \

ex401/ex401.1.end/container_files/seed-data/bootstrap.gsh

@@ -1,22 +1,150 @@
 gs = GrouperSession.startRootSession();
+delStem("401.1.1")
+addRootStem("401.1.end", "401.1.end")
 
-addGroup("test", "cisoQuestionableVpnUsersList", "CISO VPN Questionable VPN List");
-addMember("test:cisoQuestionableVpnUsersList","ahenderson36");
-addMember("test:cisoQuestionableVpnUsersList","cpeterson37");
-addMember("test:cisoQuestionableVpnUsersList","jclark39");
-addMember("test:cisoQuestionableVpnUsersList","kbrown62");
-addMember("test:cisoQuestionableVpnUsersList","tpeterson63");
-addMember("test:cisoQuestionableVpnUsersList","pjohnson64");
-addMember("test:cisoQuestionableVpnUsersList","aroberts95");
-addMember("test:cisoQuestionableVpnUsersList","sdavis107");
-addMember("test:cisoQuestionableVpnUsersList","mhenderson109");
-addMember("test:cisoQuestionableVpnUsersList","jvales117");
-addMember("test:cisoQuestionableVpnUsersList","sgrady139");
-addMember("test:cisoQuestionableVpnUsersList","mprice142");
-addMember("test:cisoQuestionableVpnUsersList","mwilliams144");
-addMember("test:cisoQuestionableVpnUsersList","lpeterson153");
-addMember("test:cisoQuestionableVpnUsersList","mvales154");
-
-addGroup("test", "whyvpnaccess", "Why Do They Have VPN Access");
-addComposite("test:whyvpnaccess", CompositeType.INTERSECTION, "app:vpn:vpn_authorized", "test:cisoQuestionableVpnUsersList");
+// 401.1.1
+addStem("test", "vpn", "vpn");
+
+//Create a loader job to pull in the VPN users assigned in the directory.
+group = new GroupSave(gs).assignName("test:vpn:vpn_legacy").assignCreateParentStemsIfNotExist(true).save();
+group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
+attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=vpn_users)");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups,dc=internet2,dc=edu");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "member");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), "\${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}");
+loaderRunOneJob(group);
+
+// stub out loader jobs
+addGroup("ref", "faculty", "faculty");
+addGroup("ref", "staff", "staff");
+addGroup("ref", "student", "student");
+
+// Create the groups that do the grouper math to analyze the tables.
+addGroup("test:vpn", "vpn_faculty", "vpn_faculty");
+addComposite("test:vpn:vpn_faculty", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:faculty");
+addGroup("test:vpn", "vpn_staff", "vpn_staff");
+addComposite("test:vpn:vpn_staff", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:staff");
+addGroup("test:vpn", "vpn_students", "vpn_students");
+addComposite("test:vpn:vpn_students", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:student");
+addGroup("test:vpn", "vpn_facstaffstudent", "vpn_facstaffstudent");
+addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_faculty");
+addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_staff");
+addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_students");
+addGroup("test:vpn", "other_cohorts", "other_cohorts");
+addComposite("test:vpn:other_cohorts", CompositeType.COMPLEMENT, "test:vpn:vpn_legacy", "test:vpn:vpn_facstaffstudent");
+
+// 401.1.2
+addStem("app", "vpn", "vpn");
+addStem("app:vpn", "service", "service");
+addStem("app:vpn", "security", "security");
+addStem("app:vpn:service", "ref", "ref")
+addStem("app:vpn:service", "policy", "policy")
+
+addGroup("app:vpn:service:ref", "vpn_adhoc", "vpn_adhoc");
+vpn_authorized = addGroup("app:vpn:service:policy", "vpn_authorized", "vpn_authorized");
+addGroup("app:vpn:service:policy", "vpn_authorized_allow", "vpn_authorized_allow");
+addGroup("app:vpn:service:policy", "vpn_authorized_deny", "vpn_authorized_deny");
+
+addMember("app:vpn:service:policy:vpn_authorized_allow", "ref:faculty");
+addMember("app:vpn:service:policy:vpn_authorized_allow", "ref:staff");
+addMember("app:vpn:service:policy:vpn_authorized_allow", "app:vpn:service:ref:vpn_adhoc");
+
+addComposite("app:vpn:service:policy:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_authorized_allow", "app:vpn:service:policy:vpn_authorized_deny");
+
+// 401.1.3 - not sure what this isn't working... comment out for now.
+// Auto create the PSPNG attributes
+// edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_groupOfNames");
+// pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
+// AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
+// attributeAssignSave.assignAttributeDefName(pspngAttribute);
+// attributeAssignSave.assignOwnerGroup(vpn_authorized);
+// attributeAssignSave.addValue("pspng_groupOfNames");
+// attributeAssignSave.save();
+
+// 401.1.4
+group=addGroup("app:vpn:service:ref", "vpn_consultants", "vpn_consultants");
+group.setDescription("Consultants, must be approved by VP and have expiration date set");
+group.store();
+addMember("app:vpn:service:ref:vpn_adhoc","app:vpn:service:ref:vpn_consultants");
+
+group=addGroup("app:vpn:service:ref", "vpn_ajohnson409", "vpn_ajohnson409");
+group.setDescription("Special project managed by ajohnson409");
+group.store();
+addMember("app:vpn:service:ref:vpn_adhoc","app:vpn:service:ref:vpn_ajohnson409");
+
+addGroup("app:vpn:security", "vpn_ajohnson409_mgr", "vpn_ajohnson409_mgr");
+grantPriv("app:vpn:service:ref:vpn_ajohnson409", "app:vpn:security:vpn_ajohnson409_mgr", AccessPrivilege.UPDATE);
+grantPriv("app:vpn:service:ref:vpn_ajohnson409", "app:vpn:security:vpn_ajohnson409_mgr", AccessPrivilege.READ);
+addMember("app:vpn:security:vpn_ajohnson409_mgr", "ajohnson409")
+
+GrouperSession.start(findSubject("ajohnson409"))
+addMember("app:vpn:service:ref:vpn_ajohnson409", "bsmith458")
+
+
+// 401.1.5
+// Attestation requirement
+gs = GrouperSession.startRootSession();
+group = GroupFinder.findByName(gs, "app:vpn:service:ref:vpn_ajohnson409");
+attribute = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestation", true);
+attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
+attributeAssignSave.assignAttributeDefName(attribute);
+attributeAssignSave.assignOwnerGroup(group);
+
+attributeAssignOnAssignSave = new AttributeAssignSave(gs);
+attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
+attestationSendEmailAttributeDefName = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestationSendEmail", false);
+attributeAssignOnAssignSave.assignAttributeDefName(attestationSendEmailAttributeDefName);
+attributeAssignOnAssignSave.addValue("true");
+attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
+
+attributeAssignOnAssignSave = new AttributeAssignSave(gs);
+attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
+attributeDefName = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestationDirectAssignment", false);
+attributeAssignOnAssignSave.assignAttributeDefName(attributeDefName);
+attributeAssignOnAssignSave.addValue("true");
+attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
+
+attributeAssign = attributeAssignSave.save();
+
+// Automatically expire vpn_consultant subject memberships in 180 days
+numberOfDays = 180;
+actAs = SubjectFinder.findRootSubject();
+vpn_consultants = GroupFinder.findByName(gs, "app:vpn:service:ref:vpn_consultants");
+attribAssign = vpn_consultants.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
+attribValueDelegate = attribAssign.getAttributeValueDelegate();
+attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
+attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
+attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numberOfDays.toString());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T");
+
+addMember("app:vpn:service:ref:vpn_consultants", "jsmith")
+
+// 401.1.4 VPN access audit for list of NetIDs
+addGroup("test:vpn", "vpn_audit_list", "vpn_audit_list");
+addMember("test:vpn:vpn_audit_list","ahenderson36");
+addMember("test:vpn:vpn_audit_list","cpeterson37");
+addMember("test:vpn:vpn_audit_list","jclark39");
+addMember("test:vpn:vpn_audit_list","kbrown62");
+addMember("test:vpn:vpn_audit_list","tpeterson63");
+addMember("test:vpn:vpn_audit_list","pjohnson64");
+addMember("test:vpn:vpn_audit_list","aroberts95");
+addMember("test:vpn:vpn_audit_list","sdavis107");
+addMember("test:vpn:vpn_audit_list","mhenderson109");
+addMember("test:vpn:vpn_audit_list","jvales117");
+addMember("test:vpn:vpn_audit_list","sgrady139");
+addMember("test:vpn:vpn_audit_list","mprice142");
+addMember("test:vpn:vpn_audit_list","mwilliams144");
+addMember("test:vpn:vpn_audit_list","lpeterson153");
+addMember("test:vpn:vpn_audit_list","mvales154");
+addMember("test:vpn:vpn_audit_list","bsmith458");
+
+addGroup("test:vpn", "vpn_audit", "vpn_audit");
+addComposite("test:vpn:vpn_audit", CompositeType.INTERSECTION, "app:vpn:service:policy:vpn_authorized", "test:vpn:vpn_audit_list");
 

ex401/manualBuild.sh

@@ -1,11 +1,6 @@
 source ../buildVersion.sh
 echo "Building gte:401 version ${VERSION_TAG}"
 docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.1-${VERSION_TAG} ex401.1.1 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.2-${VERSION_TAG} ex401.1.2 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.3-${VERSION_TAG} ex401.1.3 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.4-${VERSION_TAG} ex401.1.4 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.5-${VERSION_TAG} ex401.1.5 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.6-${VERSION_TAG} ex401.1.6 \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.end-${VERSION_TAG} ex401.1.end \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.1-${VERSION_TAG} ex401.2.1 \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.2-${VERSION_TAG} ex401.2.2 \