201906 401.2 content and gte updates

docs/401/401.1.rst

@@ -409,4 +409,4 @@ attestation lifecycle. Exception managment is distributed and VPN policy
 participates in the global deny policy.
 
 .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program
-.. _`PSPNG`: https://spaces.at.internet2.edu/x/iwfSBQ
+.. _PSPNG: https://spaces.at.internet2.edu/x/iwfSBQ

docs/401/examples/401.2.2-pspng-config.properties

@@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
 changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
 changeLog.consumer.pspng_entitlements.ldapPoolName = demo
 changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
-changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
+changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
 changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
 changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
 changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*

docs/401/examples/401.2.5-banner-netids.txt

@@ -1,5 +1,34 @@
-agasper508
-agasper678
-alopez899
-aprice362
-agrady791
+jprice108
+mnielson143
+mvales154
+wclark159
+kthompson169
+athompson183
+sanderson191
+jlangenberg194
+jwhite222
+rwilliams230
+pwilliams242
+lprice328
+dgrady331
+edoe348
+svales366
+mhenderson377
+mlewis390
+mroberts391
+llopez398
+amorrison406
+janderson459
+wmartinez487
+lvales502
+cvales514
+jprice523
+rvales544
+iprice563
+bmartinez592
+jnielson598
+amartinez605
+dprice607
+mbutler632
+lbutler643
+dmartinez657

ex401/ex401.2.1/container_files/seed-data/bootstrap.gsh

@@ -0,0 +1,3 @@
+gs = GrouperSession.startRootSession();
+delStem("401.1.end")
+addRootStem("401.2.1", "401.2.1")

ex401/ex401.2.end/Dockerfile

@@ -1,5 +1,5 @@
 ARG VERSION_TAG
-FROM tier/gte:401.2.9-$VERSION_TAG
+FROM tier/gte:401.2.1-$VERSION_TAG
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       Vendor="TIER" \

ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh

@@ -1,17 +1,155 @@
 gs = GrouperSession.startRootSession();
+delStem("401.2.1")
+addRootStem("401.2.end", "401.2.end")
+
+// 401.2.1
+addStem("app", "mfa", "mfa");
+addStem("app:mfa", "security", "security");
+addStem("app:mfa", "service", "service");
+addStem("app:mfa:service", "policy", "policy");
+addStem("app:mfa:service", "ref", "ref");
+mfa_enabled = addGroup("app:mfa:service:policy", "mfa_enabled", "mfa_enabled");
+addGroup("app:mfa:service:policy", "mfa_enabled_allow", "mfa_enabled_allow");
+addGroup("app:mfa:service:policy", "mfa_enabled_deny", "mf_enabled_deny");
+addComposite("app:mfa:service:policy:mfa_enabled", CompositeType.COMPLEMENT, "app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:policy:mfa_enabled_deny");
+addGroup("app:mfa:service:ref", "mfa_pilot", "mfa_pilot");
+addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot");
+
+// 401.2.2
+// Assign PSPNG `provision_to` attribute to `mfa_enabled` with a value of `pspng_entitlements`.
+edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_entitlements");
+pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
+AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
+attributeAssignSave.assignAttributeDefName(pspngAttribute);
+attributeAssignSave.assignOwnerGroup(mfa_enabled);
+attributeAssignSave.addValue("pspng_entitlements");
+attributeAssignSave.save();
+addMember("app:mfa:service:ref:mfa_pilot", "banderson");
+
+// 401.2.3
+// nothing to do. idp already configured
+
+// 401.2.4
+// stub out ref groups for load jobs
+addStem("ref", "dept", "dept");
+addGroup("ref:dept", "Information Technology", "Information Technology");
+addGroup("app:mfa:service:ref", "mfa_bypass", "mfa_bypass");
+addMember("app:mfa:service:policy:mfa_enabled_deny", "app:mfa:service:ref:mfa_bypass");
+addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology");
+
+mfa_athletics = addGroup("app:mfa:service:ref", "mfa_athletics", "mfa_athletics");
+mfa_athletics.addMember(findSubject("ahenderson36"));
+mfa_athletics.addMember(findSubject("amorrison42"));
+mfa_athletics.addMember(findSubject("bsmith65"));
+mfa_athletics.addMember(findSubject("cthompson28"));
+mfa_athletics.addMember(findSubject("janderson13"));
+mfa_athletics.addMember(findSubject("jdavis4"));
+mfa_athletics.addMember(findSubject("jlangenberg100"));
+mfa_athletics.addMember(findSubject("jprice108"));
+mfa_athletics.addMember(findSubject("jvales117"));
+mfa_athletics.addMember(findSubject("ldavis5"));
+mfa_athletics.addMember(findSubject("mgrady137"));
+mfa_athletics.addMember(findSubject("mmartinez133"));
+mfa_athletics.addMember(findSubject("nscott103"));
+mfa_athletics.addMember(findSubject("pthompson61"));
+mfa_athletics.addMember(findSubject("rdavis16"));
+addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics");
+
+// 401.2.5
+addGroup("app:mfa:service:ref", "NonFacultyBannerINB", "NonFacultyBannerINB");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice108");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","mnielson143");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","mvales154");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","wclark159");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","kthompson169");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","athompson183");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","sanderson191");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","jlangenberg194");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","jwhite222");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","rwilliams230");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","pwilliams242");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","lprice328");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","dgrady331");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","edoe348");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","svales366");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","mhenderson377");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","mlewis390");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","mroberts391");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","llopez398");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","amorrison406");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","janderson459");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","wmartinez487");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","lvales502");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","cvales514");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","jprice523");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","rvales544");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","iprice563");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","bmartinez592");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","jnielson598");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","amartinez605");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","dprice607");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","mbutler632");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","lbutler643");
+addMember("app:mfa:service:ref:NonFacultyBannerINB","dmartinez657");
+
+addMember("app:mfa:service:policy:mfa_enabled_allow","app:mfa:service:ref:NonFacultyBannerINB");
+//Set start date 2 days out
+java.util.Calendar cal = Calendar.getInstance();
+cal.setTime(new Date());
+cal.add(Calendar.DAY_OF_YEAR, 2);
+group = GroupFinder.findByName(gs, "app:mfa:service:policy:mfa_enabled_allow", true);
+subject = GroupFinder.findByName(gs, "app:mfa:service:ref:NonFacultyBannerINB", true).toSubject();
+group.addOrEditMember(subject, true, true, cal.getTime(), null, false);
+
+// 401.2.6
+addGroup("app:mfa:service:ref", "BannerUsersMinusFaculty", "BannerUsersMinusFaculty");
+addComposite("app:mfa:service:ref:BannerUsersMinusFaculty", CompositeType.COMPLEMENT, "app:mfa:service:ref:NonFacultyBannerINB", "ref:faculty");
+addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty")
+delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:NonFacultyBannerINB");
+
+// 401.2.7
+addGroup("app:mfa:service:ref", "mfa_opt_in", "mfa_opt_in");
+
+addGroup("app:mfa:security", "mfa_opt_in", "mfa_opt_in");
+addGroup("app:mfa:security", "mfa_opt_in_allow", "mfa_opt_in_allow");
+addGroup("app:mfa:security", "mfa_opt_in_deny", "mfa_opt_in_deny");
+addComposite("app:mfa:security:mfa_opt_in", CompositeType.COMPLEMENT, "app:mfa:security:mfa_opt_in_allow", "app:mfa:security:mfa_opt_in_deny");
+
+grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTIN);
+grantPriv("app:mfa:service:ref:mfa_opt_in", "app:mfa:security:mfa_opt_in", AccessPrivilege.OPTOUT);
+
+addGroup("app:mfa:service:ref", "mfa_required", "mfa_required");
+addMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_required");
+
+addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:BannerUsersMinusFaculty");
+addMember("app:mfa:service:ref:mfa_required", "ref:dept:Information Technology");
+addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_athletics");
+addMember("app:mfa:service:ref:mfa_required", "app:mfa:service:ref:mfa_pilot");
+
+delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:BannerUsersMinusFaculty");
+delMember("app:mfa:service:policy:mfa_enabled_allow", "ref:dept:Information Technology");
+delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_athletics");
+delMember("app:mfa:service:policy:mfa_enabled_allow", "app:mfa:service:ref:mfa_pilot");
+
+addMember("app:mfa:security:mfa_opt_in_deny", "app:mfa:service:ref:mfa_required");
+
+addMember("app:mfa:security:mfa_opt_in_allow", "ref:faculty");
+addMember("app:mfa:security:mfa_opt_in_allow", "ref:staff");
+addMember("app:mfa:security:mfa_opt_in_allow", "ref:student");
+
+
+// 401.2.8
+addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:faculty");
+addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:staff");
+addMember("app:mfa:service:policy:mfa_enabled_allow", "ref:student");
+
+delGroup("app:mfa:service:ref:mfa_pilot");
+delGroup("app:mfa:security:mfa_opt_in");
+delGroup("app:mfa:security:mfa_opt_in_allow");
+delGroup("app:mfa:security:mfa_opt_in_deny");
+delGroup("app:mfa:service:ref:mfa_opt_in");
+delGroup("app:mfa:service:ref:mfa_required");
+delGroup("app:mfa:service:ref:BannerUsersMinusFaculty");
+delGroup("app:mfa:service:ref:NonFacultyBannerINB");
+delGroup("app:mfa:service:ref:mfa_athletics");
 
-addMember("app:mfa:mfa_enabled_allow", "ref:faculty");
-addMember("app:mfa:mfa_enabled_allow", "ref:staff");
-addMember("app:mfa:mfa_enabled_allow", "ref:student");
-delMember("app:mfa:mfa_enabled_allow", "ref:dept:Information Technology");
-
-delGroup("app:mfa:ref:pilot");
-delGroup("app:mfa:etc:mfa_opt_in_access");
-delGroup("app:mfa:etc:mfa_opt_in_access_allow");
-delGroup("app:mfa:etc:mfa_opt_in_access_deny");
-delGroup("app:mfa:ref:mfa_opt_in");
-delGroup("app:mfa:ref:mfa_bypass_not_opt_in");
-delGroup("app:mfa:mfa_required");
-delGroup("app:mfa:ref:BannerUsersMinusFaculty");
-delGroup("app:mfa:ref:NonFacultyBannerINB");
-delGroup("app:mfa:ref:athletics_dept");

ex401/manualBuild.sh

@@ -3,14 +3,6 @@ echo "Building gte:401 version ${VERSION_TAG}"
 docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.1-${VERSION_TAG} ex401.1.1 \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.end-${VERSION_TAG} ex401.1.end \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.1-${VERSION_TAG} ex401.2.1 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.2-${VERSION_TAG} ex401.2.2 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.3-${VERSION_TAG} ex401.2.3 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.4-${VERSION_TAG} ex401.2.4 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.5-${VERSION_TAG} ex401.2.5 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.6-${VERSION_TAG} ex401.2.6 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.7-${VERSION_TAG} ex401.2.7 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.8-${VERSION_TAG} ex401.2.8 \
-&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.9-${VERSION_TAG} ex401.2.9 \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.end-${VERSION_TAG} ex401.2.end \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.1-${VERSION_TAG} ex401.3.1 \
 && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.2-${VERSION_TAG} ex401.3.2 \