summaryrefslogtreecommitdiffstats
path: root/virtualenv
diff options
context:
space:
mode:
authorThomas NOEL <tnoel@entrouvert.com>2013-10-30 15:17:56 (GMT)
committerThomas NOEL <tnoel@entrouvert.com>2013-10-30 15:17:56 (GMT)
commitfd71b137e4611b6c20e5b4271feea0a2665e641f (patch)
tree651e01c2eba2e1041944cff5783d127ea2f61a10 /virtualenv
parentc75aed4ed5743071068dc9c7070cc536f9905052 (diff)
downloadunivnautes-old-fd71b137e4611b6c20e5b4271feea0a2665e641f.zip
univnautes-old-fd71b137e4611b6c20e5b4271feea0a2665e641f.tar.gz
univnautes-old-fd71b137e4611b6c20e5b4271feea0a2665e641f.tar.bz2
univnautes can use two metadata.xml (IDPs and SPs)
Diffstat (limited to 'virtualenv')
-rwxr-xr-xvirtualenv/bin/univnautes-update-metadata.sh89
-rw-r--r--virtualenv/etc/univnautes.conf3
-rw-r--r--virtualenv/pkg/univnautes.inc3
-rw-r--r--virtualenv/pkg/univnautes.xml34
4 files changed, 109 insertions, 20 deletions
diff --git a/virtualenv/bin/univnautes-update-metadata.sh b/virtualenv/bin/univnautes-update-metadata.sh
index 8810b80..af0223f 100755
--- a/virtualenv/bin/univnautes-update-metadata.sh
+++ b/virtualenv/bin/univnautes-update-metadata.sh
@@ -24,6 +24,8 @@ log() {
# clean
cd `dirname $MD`
rm -f $MD
+cd `dirname $MDSP`
+rm -f $MDSP
#
# 1. Download throught HTTPS
@@ -35,11 +37,11 @@ then
if [ -r "$MDCA" ]
then
- log "downloading metadata from $MDURL (ca=$MDCA)"
+ log "downloading IdPs metadata from $MDURL (ca=$MDCA)"
wget --quiet --timeout=300 --ca-certificate=$MDCA -O $FETCH $MDURL
RET=$?
else
- log "downloading metadata from $MDURL (no-check-certificate)"
+ log "downloading IdPs metadata from $MDURL (no-check-certificate)"
wget --quiet --timeout=300 --no-check-certificate -O $FETCH $MDURL
RET=$?
fi
@@ -47,37 +49,87 @@ then
if [ $RET -ne 0 ]
then
rm -f $FETCH
- log "error while downloading metadata (wget)"
- exit 1
+ log "error while downloading IdPs metadata (wget)"
+ unset MD
+ unset MDCRT
+ else
+ mv -f $FETCH $MD
fi
- mv -f $FETCH $MD
-
else
- log "WARNING: no metadata url, use an empty one"
+ log "WARNING: no IdPs metadata url, use an empty one"
MD=/usr/local/univnautes/etc/empty-metadata.xml
unset MDCRT
fi
+if [ -n "$MDSPURL" ]
+then
+ FETCH=$MDSP.fetch.$$
+
+ if [ -r "$MDSPCA" ]
+ then
+ log "downloading SPs metadata from $MDSPURL (ca=$MDSPCA)"
+ wget --quiet --timeout=300 --ca-certificate=$MDSPCA -O $FETCH $MDSPURL
+ RET=$?
+ else
+ log "downloading SPs metadata from $MDSPURL (no-check-certificate)"
+ wget --quiet --timeout=300 --no-check-certificate -O $FETCH $MDSPURL
+ RET=$?
+ fi
+
+ if [ $RET -ne 0 ]
+ then
+ rm -f $FETCH
+ log "error while downloading SPs metadata (wget)"
+ unset MDSP
+ unset MDSPCRT
+ else
+ mv -f $FETCH $MDSP
+ fi
+else
+ log "WARNING: no SPs metadata url: use IdPs metadata url for SPs metadata url"
+ MDSP=${MD}
+ unset MDSPCRT
+fi
+
#
# 2. Check metadatas
#
-if [ -r "$MDCRT" ]
+if [ -n "$MD" -a -r "$MDCRT" ]
+then
+ xmlsec1 --verify --pubkey-cert-pem $MDCRT $MD > /var/tmp/metadata-idps-xmlsec1.out 2>&1
+
+ if [ $? -ne 0 ]
+ then
+ log "error while checking signature of IdPs metadata (xmlsec1) :"
+ cat /var/tmp/metadata-idps-xmlsec1.out | logger -p local4.error -t update-idps-metadata.xmlsec1
+ unset MD
+ fi
+elif [ -n "$MD" ]
+then
+ log "WARNING: do not check signature of IdPs metadata"
+fi
+
+if [ -n "$MDSP" -a -r "$MDSPCRT" ]
then
- xmlsec1 --verify --pubkey-cert-pem $MDCRT $MD > /var/tmp/metadata-xmlsec1.out 2>&1
+ xmlsec1 --verify --pubkey-cert-pem $MDSPCRT $MDSP > /var/tmp/metadata-sps-xmlsec1.out 2>&1
if [ $? -ne 0 ]
then
- log "error while checking signature of metadata (xmlsec1) :"
- cat /var/tmp/metadata-xmlsec1.out | logger -p local4.error -t update-metadata.xmlsec1
- exit 2
+ log "error while checking signature of SPs metadata (xmlsec1) :"
+ cat /var/tmp/metadata-sps-xmlsec1.out | logger -p local4.error -t update-sps-metadata.xmlsec1
+ unset MDSP
fi
+elif [ -n "$MDSP" ]
+then
+ log "WARNING: do not check signature of SPs metadata"
fi
+
#
-# 3. Insert metadata in portal and idp databases
+# 3. Insert metadata in portal (IdPs) and local idp (SPs) databases
#
# virtualenv activation
@@ -90,7 +142,10 @@ export PATH
cd /usr/local/univnautes/pffedportal
if [ -r pffedportal.db ]
then
- python ./manage.py sync-metadata --source="federation" --idp --verbosity=1 $MD 2>&1 | logger -p local4.info -t update-metadata
+ if [ -n "$MD" ]
+ then
+ python ./manage.py sync-metadata --source="federation" --idp --verbosity=1 $MD 2>&1 | logger -p local4.info -t update-metadata
+ fi
/usr/local/bin/univnautes-update-map.sh
fi
@@ -98,7 +153,11 @@ fi
cd /usr/local/univnautes/pfidp
if [ -r pfidp.db ]
then
- python ./manage.py sync-metadata --source="federation" --sp --verbosity=1 $MD 2>&1 | logger -p local4.info -t update-metadata-idp
+ if [ -n "$MDSP" ]
+ then
+ python ./manage.py sync-metadata --source="federation" --sp --verbosity=1 $MDSP 2>&1 | logger -p local4.info -t update-metadata-idp
+ fi
fi
exit 0
+
diff --git a/virtualenv/etc/univnautes.conf b/virtualenv/etc/univnautes.conf
index f5e0af7..5ba1d22 100644
--- a/virtualenv/etc/univnautes.conf
+++ b/virtualenv/etc/univnautes.conf
@@ -4,7 +4,8 @@
REFRESH=3600
# metadata
-MD=/var/db/metadata.xml
+MD=/var/db/metadata-idps.xml
+MDSP=/var/db/metadata-sps.xml
# whitelist
WL=/var/db/whitelist.txt
diff --git a/virtualenv/pkg/univnautes.inc b/virtualenv/pkg/univnautes.inc
index 30da5f9..72ad776 100644
--- a/virtualenv/pkg/univnautes.inc
+++ b/virtualenv/pkg/univnautes.inc
@@ -28,6 +28,7 @@ function univnautes_sync() {
$b64s = array( "samlkey", "samlcrt",
"samlkeyidp", "samlcrtidp",
"mdca", "mdcrt",
+ "mdspca", "mdspcrt",
"wlca", "wlstaticips",
"mdlocal",
"userbl", "macbl" );
@@ -43,7 +44,7 @@ function univnautes_sync() {
}
}
- $urls = array( "mdurl", "wlurl", "defaultidp", "redirecturl" );
+ $urls = array( "mdurl", "mdspurl", "wlurl", "defaultidp", "redirecturl" );
foreach($urls as $url) {
if ( isset($conf[$url]) && (strlen($conf[$url]) > 0) && (parse_url($conf[$url]) != FALSE) ) {
$vars[$url] = $conf[$url];
diff --git a/virtualenv/pkg/univnautes.xml b/virtualenv/pkg/univnautes.xml
index 06fc5e4..306d625 100644
--- a/virtualenv/pkg/univnautes.xml
+++ b/virtualenv/pkg/univnautes.xml
@@ -128,7 +128,7 @@
<name>Federation: metadata download</name>
</field>
<field>
- <fielddescr>Metadata URL</fielddescr>
+ <fielddescr>IdPs metadata URL, used by captive portal</fielddescr>
<fieldname>mdurl</fieldname>
<description>If this field is empty, current metadata will be removed.</description>
<default_value>https://services-federation.renater.fr/metadata/renater-test-metadata.xml</default_value>
@@ -136,7 +136,7 @@
<size>60</size>
</field>
<field>
- <fielddescr>Metadata CA (https certificate issuer)</fielddescr>
+ <fielddescr>IdPs metadata CA (https certificate issuer)</fielddescr>
<fieldname>mdca</fieldname>
<encoding>base64</encoding>
<description>in PEM format, can be a bundle</description>
@@ -146,7 +146,7 @@
<cols>66</cols>
</field>
<field>
- <fielddescr>Metadata certificate</fielddescr>
+ <fielddescr>IdPs metadata certificate</fielddescr>
<fieldname>mdcrt</fieldname>
<encoding>base64</encoding>
<description>in PEM format</description>
@@ -156,6 +156,34 @@
<cols>66</cols>
</field>
<field>
+ <fielddescr>SPs metadata URL, used by local IdP</fielddescr>
+ <fieldname>mdspurl</fieldname>
+ <description>If this field is empty, use IdPs metadata URL (see above).</description>
+ <default_value/>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>SPs metadata CA (https certificate issuer)</fielddescr>
+ <fieldname>mdspca</fieldname>
+ <encoding>base64</encoding>
+ <description>in PEM format, can be a bundle</description>
+ <default_value/>
+ <type>textarea</type>
+ <rows>4</rows>
+ <cols>66</cols>
+ </field>
+ <field>
+ <fielddescr>SPs metadata certificate</fielddescr>
+ <fieldname>mdspcrt</fieldname>
+ <encoding>base64</encoding>
+ <description>in PEM format</description>
+ <default_value/>
+ <type>textarea</type>
+ <rows>4</rows>
+ <cols>66</cols>
+ </field>
+ <field>
<type>listtopic</type>
<name>Federation: IP whitelist, for IdPs</name>
</field>