diff --git a/docs/401/401.1.rst b/docs/401/401.1.rst index 2854fd6..f4fc3df 100644 --- a/docs/401/401.1.rst +++ b/docs/401/401.1.rst @@ -409,4 +409,4 @@ attestation lifecycle. Exception managment is distributed and VPN policy participates in the global deny policy. .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program -.. _`PSPNG`: https://spaces.at.internet2.edu/x/iwfSBQ \ No newline at end of file +.. _PSPNG: https://spaces.at.internet2.edu/x/iwfSBQ diff --git a/docs/401/401.2.rst b/docs/401/401.2.rst index 10db353..f80ebf0 100644 --- a/docs/401/401.2.rst +++ b/docs/401/401.2.rst @@ -27,55 +27,58 @@ Overview -------- Your institution is deploying multi-factor authentication (MFA). The first -target application is Web SSO. Any account enabled for MFA will experience -common MFA behaviors sufficient to assert the REFEDS MFA profile during -WebSSO authentication. The project plan calls for an initial pilot phase, -followed by a number phases where different cohorts will be required or -may opt-in. During the initial pilot phase, select cohorts will be asked to -volunteer. Your mission, should you choose to accept, is to create and evolve -the digital policy necessary to achieve the project goals. - ----------------- -Exercise 401.2.1 ----------------- - -*Create initial MFA application folder set and policy in Grouper* - -#. Create `app:mfa:mfa_enabled|allow|deny`. -#. Create `app:mfa:ref:pilot`. This reference group is an access control - list (ACL) as opposed to ABAC policy. -#. Add `app:mfa:ref:pilot` to `app:mfa:mfa_enabled_allow`. +target application is WebSSO. Any account enabled for MFA will experience +common MFA behaviors sufficient to assert the REFEDS MFA profile during WebSSO +authentication. The project plan calls for an initial pilot phase, followed by +a number phases where different cohorts will be required or may opt-in. During +the initial pilot phase, select cohorts will be asked to volunteer. Your +mission, should you choose to accept, is to create and evolve the digital +policy necessary to achieve the project goals. +--------------------------------------------------------------------- +Exercise 401.2.1 Create initial MFA application folder set and policy +--------------------------------------------------------------------- ----------------- -Exercise 401.2.2 ----------------- +#. Use the application template and the policy group template to create a new + `mfa` application folder and policy group called `mfa_enabled` -*Establish an eduPersonEntitlement value to signal "MFA enabled"* +#. Create a new group `app:mfa:ref:pilot`. This reference group will hold our + pilot users and is is an access control list (ACL) as opposed to ABAC + policy. -We will assign a unique `eduPersonEntitilement` (ePE) value to LDAP accounts -that are MFA enabled. We choose the value -**http://tier.internet2.edu/mfa/enabled**. +#. Add `app:mfa:ref:pilot` to `app:mfa:mfa_enabled_allow`. -There are 2 steps to accomplish this: +.. figure: ../figures/401-mfa-enabled.png -#. Assign PSPNG `provision_to` attribute (attribute def `provision_to_def`) - to `app:mfa:mfa_enabled` with a value of `pspng_entitlements`. -#. Configure PSPNG to provision this attribute. +----------------------------------------------------------------------------- +Exercise 401.2.2 Establish eduPersonEntitlement value to signal "MFA enabled" +----------------------------------------------------------------------------- + +We will assign a unique `eduPersonEntitilement` (ePE) value to LDAP accounts +that are MFA enabled. Let's use **http://tier.internet2.edu/mfa/enabled**. as +the ePE value. + +1. Configure PSPNG to provision this attribute. This is already configure for +you in `grouper-loader.properties`. .. literalinclude:: examples/401.2.2-pspng-config.properties :language: properties :lines: 92-100 :caption: grouper-loader.properties :name: 401.2.2-pspng-groupofnames - :linenos: ----------------- -Exercise 401.2.3 ----------------- +2. Assign PSPNG `provision_to` attribute to `mfa_enabled` with a value + of `pspng_entitlements`. + +------------------------------------------------------------------ +Exercise 401.2.3 Configure Shib IdP to honor MFA enabled ePE value +------------------------------------------------------------------ -*Configure Shibboleth IdP to honor MFA enabled ePE value and assert REFEDS -MFA profile* +We will configure the Shib IdP to enfornce MFA behaviors sufficient to assert +`REFEDS MFA profile`_ in the SAML authentcation response, if the subject as an +ePE value of **http://tier.internet2.edu/mfa/enabled**. + +The following is already configured for you in the GTE Shibboleth IdP. .. literalinclude:: examples/401.2.3-general-authn.xml :language: xml @@ -91,146 +94,186 @@ MFA profile* :caption: mfa-authn-config.xml :linenos: -Now have a working MFA policy. Adding new volunteers to the pilot is as easy as -adding members to the pilot group. The next rollout phase calls for onboarding -select departments, but allow for exceptions. +#. Add `banderson` to `mfa_pilot`. ----------------- -Exercise 401.2.4 ----------------- +#. Open a private browser and log in as `banderson` to the sample application + at http://localhost:8443/app. Review the released attributes. -*Onboard select departments, but allow for exceptions* +.. figure:: ../figures/401-banderson-mfa-enabled.png -#. Add `ref:dept:its` to `app:mfa:mfa_enabled_allow`. -#. Add `app:mfa:ref:mfa_bypass` to `app:mfa:mfa_enabled_deny`. Add [NetID] to - `mfa_bypass` to exclude from `mfa_enabled`. -#. Athletics departement +Excellent! We now have a working MFA policy! Adding new volunteers to the MFA +pilot is as easy as adding members to the pilot group. The next rollout phase +calls for onboarding select departments, but allow for exceptions. - * You don't have a reference group, but you were provided a list of subject IDs: +------------------------------------------- +Exercise 401.2.4 Onboard select departments +------------------------------------------- - .. literalinclude:: examples/401.2.4-athletics-dept.txt - :language: text - :caption: Athletics Department - :linenos: +The MFA rollout is going great! Our next step is to onboard select departments, +but also account for some execptions. - * Import the list as a temporary app-specific reference group. - * Add this reference group to `mfa_enabled_allow`. +1. Create `app:mfa:service:ref:mfa_bypass` for our exceptions + to policy, and add it to `app:mfa:service:policy:mfa_enabled_deny`. -The MFA pilot is going well when the institution is hit with some direct deposit -fraud. Mandate comes from leadership to add some required cohorts. The new -policy is "any non-faculty who has access to sensitive data (i.e. Banner -INB) must have mfa enabled". The new policy should be active within two days. +2. The CISO wants all members of central IT to be enabled. Add + `ref:dept:Information Technology` to `app:mfa:mfa_enabled_allow`. +3. The athletics department is very excited about MFA. We don't have + institutional reference group for them, but they gave us the following list + of NetIDs. Import the list to `app:mfa:service:ref:mfa_athletics` as a + temporary app-specific reference group. ----------------- -Exercise 401.2.5 ----------------- +.. literalinclude:: examples/401.2.4-athletics-dept.txt + :language: text + :caption: Athletics Department + :linenos: -*Update policy to include all non-faculty employees who have access to sensitive data in Banner* +4. Add `mfa_athletics` to `mfa_enabled_allow`. -The Banner support team provides a list of NetIDs to satisfy the "non-faculty -who have access to sensitive data in Banner" part of the policy. +.. figure:: ../figures/401-mfa-athletics.png -#. Create `app:mfa:ref:NonFacultyBannerINB` and import list of NetIDs. +The MFA pilot is going well when the institution is hit with some direct +deposit fraud. Mandate comes from leadership to add some required cohorts. The +new policy is "any non-faculty who has access to sensitive data (i.e. Banner +INB) must have mfa enabled". The new policy should be active within two days. + + +---------------------------------------------------------------------------- +Exercise 401.2.5 Update digital policy to reflect new natural lanague policy +---------------------------------------------------------------------------- + +The new natural language policy inlcudes all non-faculty employees who have +access to sensitive data in Banner. The Banner support team provides a list of +NetIDs to satisfy the "non-faculty who have access to sensitive data" part of +the policy. + +#. Create `app:mfa:service:ref:NonFacultyBannerINB` and import list of NetIDs. .. literalinclude:: examples/401.2.5-banner-netids.txt -#. Add `NonFacultyBannerINB` to `app:mfa:mfa_enabled_allow`. Edit the start - date for this group to be in the future. -#. Use :ref:`SQL ` to view memberships - enabled in the future. +#. Add `NonFacultyBannerINB` to `app:mfa:service:policy:mfa_enabled_allow`, and + edit the start date for this group to be 2 days in the future. -That’s was easy! Except-- the list is not quite right. Some faculty were -included for some reason. Help desk calling! Need to remove faculty members. +.. figure:: ../figures/401-mfa-banner-2days.png + +#. Review `mfa_enabled_allow` future membership + (mfa_enabled_allow -> Members -> Advanced -> Enabled / disabled status -> + Apply filter) +.. figure:: ../figures/401-mfa-banner-2days-review.png ----------------- -Exercise 401.2.6 ----------------- +That’s was easy! Except-- the list is not quite right. Some faculty were +included for some reason. Need to remove faculty members before they start +calling the help desk! -*Update policy to include all Banner users except faculty* +------------------------------------------------------------------------- +Exercise 401.2.6 Update policy to include all Banner users except faculty +------------------------------------------------------------------------- -#. Create `app:mfa:ref:BannerUsersMinusFaculty`. +#. Create `app:mfa:service:ref:BannerUsersMinusFaculty`. #. Edit this reference group to make it composite of `NonFacultyBannerINB` minus `ref:faculty`. +.. figure:: ../figures/401-mfa-banner-minus-faculty.png + The new policy is in place and the pilot continues to expand. The next phase calls for any faculty, staff, or student who are not already required to be -able to opt-in or out of MFA at their discretion. +able to opt-in or out of MFA at their discretion. +---------------------------------------------------------------------- +Exercise 401.2.7 Implement opt-in/out for users not required by policy +---------------------------------------------------------------------- ----------------- -Exercise 401.2.7 ----------------- +Allow any faculty, staff, or student to opt-in/out if they are not already +required by other policy. -*Allow any faculty, staff, or student to opt-in/out if they are not already -required by other policy* +#. Create `app:mfa:service:ref:mfa_opt_in`. This will be an opt-in group for + individuals who want to join or leave the service. -#. Create `app:mfa:ref:mfa_opt_in`, an opt-in group for individuals who want to - join or leave the service. -#. Add `mfa_opt_in` to `mfa_enabled_allow`. -#. Create a new grouper security group, `app:mfa:etc:mfa_opt_in_access|allow|deny`. -#. Add faculty, staff, and student reference groups to - `app:mfa:etc:mfa_opt_in_access_allow`. -#. Create `app:mfa:ref:mfa_required` and copy your required members from the - `mfa_enabled_allow` policy to `mfa_required`. -#. Add `mfa_required` to `mfa_enabled_allow` and remove the redundant members. -#. Add `app:mfa:ref:mfa_required` to `mfa_opt_in_access_deny`. -#. Configure `mfa_opt_in` privileges to grant `mfa_opt_in_access` *OptIn* and - *OptOut* rights. +#. Create a new grouper security group, `app:mfa:security:mfa_opt_in`. Make + `security:mfa_opt_in` a composite of `mfa_opt_in_allow` minus + `mfa_opt_in_deny`. This will be the administrative access policy for access + to `app:mf:service:ref:mfa_opt_in`. -Now, subject **awhite318** (Amber White) can log in and see the -`mfa_opt_in` group. This subject is able to join or leave at will. +.. figure:: ../figures/401-mfa-opt-in-security.png + +3. Configure `service:ref:mfa_opt_in` privileges to grant + `security:ref:mfa_opt_in` *OptIn* and *OptOut* rights. + +.. figure:: ../figures/401-mfa-opt-in-privs.png + +4. Create `app:mfa:ref:mfa_required` and add it to `mfa_enabled_allow`. This + will be the cohorts that are required to use mfa by policy. They will not be + able to use the opt_in/out group. + +5. Add the following reference groups to `mfa_required`. These cohorts + are required to use MFA. + +* `BannerUsersMinusFaculty` +* `Information Technology` +* `mfa_athletics` +* `mfa_pilot` + +6. Remove the following redundant reference groups from `mfa_enabled_allow`. + These memberships are now covered by `mfa_required`. + +* `BannerUsersMinusFaculty` +* `Information Technology` +* `mfa_athletics` +* `mfa_pilot` + +7. Add `app:mfa:service:ref:mfa_required` to `mfa_opt_in_access_deny`. Users + that are required to use MFA can not opt-in/out. + +8. Add faculty, staff, and student reference groups to + `security:mfa_opt_in_allow` + +9. Add `service:ref:mfa_opt_in` to `service:policy:mfa_enabled_allow`. + +.. figure:: ../figures/401-mfa-policy.png + +10. In a private browser, log in as username `awhite318` password `password`. + Amber White can see the `mfa_opt_in` group, and can join or leave at will. + +.. figure:: ../figures/401-mfa-amber-join.png + +.. figure:: ../figures/401-mfa-amber-leave.png """"""""""""""""""""""""""""" Improving the User Experience """"""""""""""""""""""""""""" -The Grouper UI is sufficient for simple user interaction, but not a great user -experience. Another approach is to build a small, web-based application to -manage membership directly or via database and grouper loader. +The Grouper UI is sufficient for simple user interactions, but is not really a +great user experience. Another approach is to build a small, web-based +application to manage membership directly or via a database and grouper loader. * Web application maintains a database of NetIDs that have opted in. * Grouper loader job imports opt-in members into a reerence group. * The web app needs to know what NetIDs are required to use MFA and are - therefore ineligible to use the web app. Grouper can provision a 2nd - ePE, `http://tier.internet2.edu/mfa/required`. - -Working great! But, accounts that were put in early bypass for some reason -now can't opt-in. It looks like they enabled it, but they get filtered out of -`mfa_enabled` because of the bypass membership. Removing those accounts from -bypass puts them in `mfa_enabled`. - ----------------- -Exercise 401.2.8 ----------------- - -*Refactor `...:ref:bypass` to accommodate users who opt-in to MFA* - -#. Refactor `...:ref:bypass` to `...:basis:mfa_bypass`. -#. Create new `...:ref:mfa_bypass_not_opt_in` composite - (`...:basis:mfa_bypass` - `...:ref:mfa_opt_in`). -#. Add `...:ref:mfa_bypass_not_opt_in` to `app:mfa:mfa_enabled_deny`. + therefore ineligible to use the web app. Grouper can be configured to + provision `mfa_required` to eduPersonEntitilement value + `http://tier.internet2.edu/mfa/required`. -Another way might be to use Grouper rules. +The MFA pilot has been a success! Leadership now wants all remaining faculty, +staff, and students to be required to use MFA by policy. -Pilot has been a success. Leadership wants all remaining faculty, staff, -and students to be enabled by policy. +------------------------------------------------------------------------- +Exercise 401.2.8 Add all remaining faculty, staff, and students to policy +------------------------------------------------------------------------- ----------------- -Exercise 401.2.9 ----------------- +#. Add the following reference groups directly to `mfa_enabled_allow`. -*Add all remaining faculty, staff, and students to policy* +* ref:faculty +* ref:staff +* ref:student -#. Add appropriate reference groups to allow policy. -#. Clean up intermediate policy and application reference groups. +2. Remove all intermediate policy and application reference groups. - * Add `faculty`, `staff`, and `student` reference groups to policy. - * Remove app specific reference and basis groups. +We should now have a fairly clean app policy folder. We were able to evolve +digital policy without affecting access to the service. -We should now have a fairly clean app policy folder. We were able to update -digital policy without affecting service. +.. figure:: ../figures/401-mfa-clean-policy.png -Kick back and have a margarita! +Margarita time! +.. _`REFEDS MFA profile`: https://refeds.org/profile/mfa diff --git a/docs/401/examples/401.2.2-pspng-config.properties b/docs/401/examples/401.2.2-pspng-config.properties index 1050e7f..de52d44 100644 --- a/docs/401/examples/401.2.2-pspng-config.properties +++ b/docs/401/examples/401.2.2-pspng-config.properties @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement -changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension} +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension} changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/docs/401/examples/401.2.5-banner-netids.txt b/docs/401/examples/401.2.5-banner-netids.txt index 2362df0..f45ea0b 100644 --- a/docs/401/examples/401.2.5-banner-netids.txt +++ b/docs/401/examples/401.2.5-banner-netids.txt @@ -1,5 +1,34 @@ -agasper508 -agasper678 -alopez899 -aprice362 -agrady791 +jprice108 +mnielson143 +mvales154 +wclark159 +kthompson169 +athompson183 +sanderson191 +jlangenberg194 +jwhite222 +rwilliams230 +pwilliams242 +lprice328 +dgrady331 +edoe348 +svales366 +mhenderson377 +mlewis390 +mroberts391 +llopez398 +amorrison406 +janderson459 +wmartinez487 +lvales502 +cvales514 +jprice523 +rvales544 +iprice563 +bmartinez592 +jnielson598 +amartinez605 +dprice607 +mbutler632 +lbutler643 +dmartinez657 \ No newline at end of file diff --git a/docs/figures/401-banderson-mfa-enabled.png b/docs/figures/401-banderson-mfa-enabled.png new file mode 100644 index 0000000..e49b2c6 Binary files /dev/null and b/docs/figures/401-banderson-mfa-enabled.png differ diff --git a/docs/figures/401-mfa-amber-join.png b/docs/figures/401-mfa-amber-join.png new file mode 100644 index 0000000..94fa7e0 Binary files /dev/null and b/docs/figures/401-mfa-amber-join.png differ diff --git a/docs/figures/401-mfa-amber-leave.png b/docs/figures/401-mfa-amber-leave.png new file mode 100644 index 0000000..fc2ecb6 Binary files /dev/null and b/docs/figures/401-mfa-amber-leave.png differ diff --git a/docs/figures/401-mfa-athletics.png b/docs/figures/401-mfa-athletics.png new file mode 100644 index 0000000..7528726 Binary files /dev/null and b/docs/figures/401-mfa-athletics.png differ diff --git a/docs/figures/401-mfa-banner-2days-review.png b/docs/figures/401-mfa-banner-2days-review.png new file mode 100644 index 0000000..c945853 Binary files /dev/null and b/docs/figures/401-mfa-banner-2days-review.png differ diff --git a/docs/figures/401-mfa-banner-2days.png b/docs/figures/401-mfa-banner-2days.png new file mode 100644 index 0000000..f3ffeb9 Binary files /dev/null and b/docs/figures/401-mfa-banner-2days.png differ diff --git a/docs/figures/401-mfa-banner-minus-faculty.png b/docs/figures/401-mfa-banner-minus-faculty.png new file mode 100644 index 0000000..a4d19dd Binary files /dev/null and b/docs/figures/401-mfa-banner-minus-faculty.png differ diff --git a/docs/figures/401-mfa-clean-policy.png b/docs/figures/401-mfa-clean-policy.png new file mode 100644 index 0000000..741545b Binary files /dev/null and b/docs/figures/401-mfa-clean-policy.png differ diff --git a/docs/figures/401-mfa-enabled.png b/docs/figures/401-mfa-enabled.png new file mode 100644 index 0000000..31f61aa Binary files /dev/null and b/docs/figures/401-mfa-enabled.png differ diff --git a/docs/figures/401-mfa-opt-in-privs.png b/docs/figures/401-mfa-opt-in-privs.png new file mode 100644 index 0000000..c4d0ade Binary files /dev/null and b/docs/figures/401-mfa-opt-in-privs.png differ diff --git a/docs/figures/401-mfa-opt-in-security.png b/docs/figures/401-mfa-opt-in-security.png new file mode 100644 index 0000000..fb576bd Binary files /dev/null and b/docs/figures/401-mfa-opt-in-security.png differ diff --git a/docs/figures/401-mfa-policy.png b/docs/figures/401-mfa-policy.png new file mode 100644 index 0000000..66d5c13 Binary files /dev/null and b/docs/figures/401-mfa-policy.png differ diff --git a/ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh index e69de29..c28120a 100644 --- a/ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh @@ -0,0 +1,3 @@ +gs = GrouperSession.startRootSession(); +delStem("401.1.end") +addRootStem("401.2.1", "401.2.1") diff --git a/ex401/ex401.2.end/Dockerfile b/ex401/ex401.2.end/Dockerfile index 2414955..095c492 100644 --- a/ex401/ex401.2.end/Dockerfile +++ b/ex401/ex401.2.end/Dockerfile @@ -1,5 +1,5 @@ ARG VERSION_TAG -FROM tier/gte:401.2.9-$VERSION_TAG +FROM tier/gte:401.2.1-$VERSION_TAG LABEL author="tier-packaging@internet2.edu " \ Vendor="TIER" \ diff --git a/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh index 875e82f..6884b66 100644 --- a/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh @@ -1,17 +1,155 @@ gs = GrouperSession.startRootSession(); +delStem("401.2.1") +addRootStem("401.2.end", "401.2.end") + +// 401.2.1 +addStem("app", "mfa", "mfa"); +addStem("app:mfa", "security", "security"); +addStem("app:mfa", "service", "service"); +addStem("app:mfa:service", "policy", "policy"); +addStem("app:mfa:service", "ref", "ref"); +mfa_enabled = addGroup("app:mfa:service:policy", "mfa_enabled", "mfa_enabled"); +addGroup("app:mfa:service:policy", "mfa_enabled_allow", "mfa_enabled_allow"); +addGroup("app:mfa:service:policy", "mfa_enabled_deny", "mf_enabled_deny"); +addComposite("app:mfa:service:policy:mfa_enabled", CompositeType.COMPLEMENT, "app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:policy:mfa_enabled_deny"); +addGroup("app:mfa:service:ref", "mfa_pilot", "mfa_pilot"); +addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot"); + +// 401.2.2 +// Assign PSPNG `provision_to` attribute to `mfa_enabled` with a value of `pspng_entitlements`. +edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_entitlements"); +pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true); +AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); +attributeAssignSave.assignAttributeDefName(pspngAttribute); +attributeAssignSave.assignOwnerGroup(mfa_enabled); +attributeAssignSave.addValue("pspng_entitlements"); +attributeAssignSave.save(); +addMember("app:mfa:service:ref:mfa_pilot", "banderson"); + +// 401.2.3 +// nothing to do. idp already configured + +// 401.2.4 +// stub out ref groups for load jobs +addStem("ref", "dept", "dept"); +addGroup("ref:dept", "Information Technology", "Information Technology"); +addGroup("app:mfa:service:ref", "mfa_bypass", "mfa_bypass"); +addMember("app:mfa:service:policy:mfa_enabled_deny", "app:mfa:service:ref:mfa_bypass"); +addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology"); + +mfa_athletics = addGroup("app:mfa:service:ref", "mfa_athletics", "mfa_athletics"); +mfa_athletics.addMember(findSubject("ahenderson36")); +mfa_athletics.addMember(findSubject("amorrison42")); +mfa_athletics.addMember(findSubject("bsmith65")); +mfa_athletics.addMember(findSubject("cthompson28")); +mfa_athletics.addMember(findSubject("janderson13")); +mfa_athletics.addMember(findSubject("jdavis4")); +mfa_athletics.addMember(findSubject("jlangenberg100")); +mfa_athletics.addMember(findSubject("jprice108")); +mfa_athletics.addMember(findSubject("jvales117")); +mfa_athletics.addMember(findSubject("ldavis5")); +mfa_athletics.addMember(findSubject("mgrady137")); +mfa_athletics.addMember(findSubject("mmartinez133")); +mfa_athletics.addMember(findSubject("nscott103")); +mfa_athletics.addMember(findSubject("pthompson61")); +mfa_athletics.addMember(findSubject("rdavis16")); +addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics"); + +// 401.2.5 +addGroup("app:mfa:service:ref", "NonFacultyBannerINB", "NonFacultyBannerINB"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice108"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","mnielson143"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","mvales154"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","wclark159"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","kthompson169"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","athompson183"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","sanderson191"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","jlangenberg194"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","jwhite222"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","rwilliams230"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","pwilliams242"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","lprice328"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","dgrady331"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","edoe348"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","svales366"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","mhenderson377"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","mlewis390"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","mroberts391"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","llopez398"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","amorrison406"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","janderson459"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","wmartinez487"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","lvales502"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","cvales514"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice523"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","rvales544"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","iprice563"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","bmartinez592"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","jnielson598"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","amartinez605"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","dprice607"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","mbutler632"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","lbutler643"); +addMember("app:mfa:service:ref:NonFacultyBannerINB","dmartinez657"); + +addMember("app:mfa:service:policy:mfa_enabled_allow","app:mfa:service:ref:NonFacultyBannerINB"); +//Set start date 2 days out +java.util.Calendar cal = Calendar.getInstance(); +cal.setTime(new Date()); +cal.add(Calendar.DAY_OF_YEAR, 2); +group = GroupFinder.findByName(gs, "app:mfa:service:policy:mfa_enabled_allow", true); +subject = GroupFinder.findByName(gs, "app:mfa:service:ref:NonFacultyBannerINB", true).toSubject(); +group.addOrEditMember(subject, true, true, cal.getTime(), null, false); + +// 401.2.6 +addGroup("app:mfa:service:ref", "BannerUsersMinusFaculty", "BannerUsersMinusFaculty"); +addComposite("app:mfa:service:ref:BannerUsersMinusFaculty", CompositeType.COMPLEMENT, "app:mfa:service:ref:NonFacultyBannerINB", "ref:faculty"); +addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty") +delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:NonFacultyBannerINB"); + +// 401.2.7 +addGroup("app:mfa:service:ref", "mfa_opt_in", "mfa_opt_in"); + +addGroup("app:mfa:security", "mfa_opt_in", "mfa_opt_in"); +addGroup("app:mfa:security", "mfa_opt_in_allow", "mfa_opt_in_allow"); +addGroup("app:mfa:security", "mfa_opt_in_deny", "mfa_opt_in_deny"); +addComposite("app:mfa:security:mfa_opt_in", CompositeType.COMPLEMENT, "app:mfa:security:mfa_opt_in_allow", "app:mfa:security:mfa_opt_in_deny"); + +grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTIN); +grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTOUT); + +addGroup("app:mfa:service:ref", "mfa_required", "mfa_required"); +addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_required"); + +addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:BannerUsersMinusFaculty"); +addMember("app:mfa:service:ref:mfa_required", "ref:dept:Information Technology"); +addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_athletics"); +addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_pilot"); + +delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty"); +delMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology"); +delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics"); +delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot"); + +addMember("app:mfa:security:mfa_opt_in_deny", "app:mfa:service:ref:mfa_required"); + +addMember("app:mfa:security:mfa_opt_in_allow", "ref:faculty"); +addMember("app:mfa:security:mfa_opt_in_allow", "ref:staff"); +addMember("app:mfa:security:mfa_opt_in_allow", "ref:student"); + + +// 401.2.8 +addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:faculty"); +addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:staff"); +addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:student"); + +delGroup("app:mfa:service:ref:mfa_pilot"); +delGroup("app:mfa:security:mfa_opt_in"); +delGroup("app:mfa:security:mfa_opt_in_allow"); +delGroup("app:mfa:security:mfa_opt_in_deny"); +delGroup("app:mfa:service:ref:mfa_opt_in"); +delGroup("app:mfa:service:ref:mfa_required"); +delGroup("app:mfa:service:ref:BannerUsersMinusFaculty"); +delGroup("app:mfa:service:ref:NonFacultyBannerINB"); +delGroup("app:mfa:service:ref:mfa_athletics"); -addMember("app:mfa:mfa_enabled_allow", "ref:faculty"); -addMember("app:mfa:mfa_enabled_allow", "ref:staff"); -addMember("app:mfa:mfa_enabled_allow", "ref:student"); -delMember("app:mfa:mfa_enabled_allow", "ref:dept:Information Technology"); - -delGroup("app:mfa:ref:pilot"); -delGroup("app:mfa:etc:mfa_opt_in_access"); -delGroup("app:mfa:etc:mfa_opt_in_access_allow"); -delGroup("app:mfa:etc:mfa_opt_in_access_deny"); -delGroup("app:mfa:ref:mfa_opt_in"); -delGroup("app:mfa:ref:mfa_bypass_not_opt_in"); -delGroup("app:mfa:mfa_required"); -delGroup("app:mfa:ref:BannerUsersMinusFaculty"); -delGroup("app:mfa:ref:NonFacultyBannerINB"); -delGroup("app:mfa:ref:athletics_dept"); diff --git a/ex401/manualBuild.sh b/ex401/manualBuild.sh index 26bc28c..f759d6b 100755 --- a/ex401/manualBuild.sh +++ b/ex401/manualBuild.sh @@ -3,14 +3,6 @@ echo "Building gte:401 version ${VERSION_TAG}" docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.1-${VERSION_TAG} ex401.1.1 \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.end-${VERSION_TAG} ex401.1.end \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.1-${VERSION_TAG} ex401.2.1 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.2-${VERSION_TAG} ex401.2.2 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.3-${VERSION_TAG} ex401.2.3 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.4-${VERSION_TAG} ex401.2.4 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.5-${VERSION_TAG} ex401.2.5 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.6-${VERSION_TAG} ex401.2.6 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.7-${VERSION_TAG} ex401.2.7 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.8-${VERSION_TAG} ex401.2.8 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.9-${VERSION_TAG} ex401.2.9 \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.end-${VERSION_TAG} ex401.2.end \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.1-${VERSION_TAG} ex401.3.1 \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.2-${VERSION_TAG} ex401.3.2 \