load multiple federation files (#19400)

debian/cron.d

@@ -2,5 +2,5 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
 MAILTO=root
 
-*/30 * * * * authentic /usr/lib/authentic2-supann/update-renater-meta.sh
+*/30 * * * * authentic /usr/lib/authentic2-supann/load-multiple-federations.sh
 

debian/dirs

@@ -1,2 +1,4 @@
 /usr/lib/authentic2-supann
 /etc/apache2/sites-available
+/etc/authentic2/federations.d
+/usr/share/doc/authentic2-supann/federations.d-examples

debian/install

@@ -1,4 +1,9 @@
 config.py /etc/authentic2
 update-renater-meta.sh /usr/lib/authentic2-supann
+load-multiple-federations.sh /usr/lib/authentic2-supann
 supann.conf /etc/authentic2
 authentic2-supann.conf /etc/apache2/sites-available
+federations.d-examples/01-renater.sh /usr/share/doc/authentic2-supann/federations.d-examples
+federations.d-examples/02-edugain.sh /usr/share/doc/authentic2-supann/federations.d-examples
+federations.d-examples/03-renater-test.sh /usr/share/doc/authentic2-supann/federations.d-examples
+federations.d/README /etc/authentic2/federations.d

federations.d-examples/01-renater.sh

@@ -0,0 +1,2 @@
+METADATA=https://metadata.federation.renater.fr/renater/main/main-sps-renater-metadata.xml
+SOURCE=renater

federations.d-examples/02-edugain.sh

@@ -0,0 +1,2 @@
+METADATA=https://federation.renater.fr/edugain/idps-edugain-metadata.xml
+SOURCE=edugain

federations.d-examples/03-renater-test.sh

@@ -0,0 +1,2 @@
+METADATA=https://metadata.federation.renater.fr/test/preview/preview-idps-renater-test-metadata.xml
+SOURCE=renater-test

federations.d/README

@@ -0,0 +1,9 @@
+This directory should contain configuration files used for loading federations
+in authentic2. These files should be Bash scripts (they must bear a '.sh'
+extension), and they should declare two variables:
+- METADATA: the XML metadata file.
+- SOURCE: a keyword entry (e.g. 'renater, 'edugain') for authentic2 to handle
+this federation.
+
+Sample files are located at
+/usr/share/doc/authentic2-supann/federations.d-examples

load-multiple-federations.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+
+function load_meta() {
+set -e
+
+DEFAULT="/etc/default/authentic2"
+BASEDIR=`dirname $0`
+METADATA_TMP=`tempfile`
+FIXTURE_TMP=`tempfile --suffix=.json`
+TIMEOUT=30
+
+function cleanup {
+	rm -f $METADATA_TMP $FIXTURE_TMP
+}
+
+trap "cleanup" EXIT
+
+if [ -f  ]; then
+	. /etc/default/authentic2
+else
+	. $BASEDIR/`basename $DEFAULT`
+fi
+
+if ! wget --tries=3 --timeout=$TIMEOUT --quiet $METADATA -O$METADATA_TMP; then
+	echo ERROR: unable to retrieve metadata from $METADATA
+	exit 1
+fi
+
+if ! xmllint $METADATA_TMP >/dev/null; then
+	echo ERROR: xmllint failed on $SOURCE metadata
+	exit 1
+fi
+
+if [ "$ALLOW_SLO" = "0" ]; then
+	SLO_SUPPORT=false
+else
+	SLO_SUPPORT=true
+fi
+
+
+# Build fixture
+cat <<EOF >$FIXTURE_TMP
+[
+{
+    "model": "saml.spoptionsidppolicy",
+    "fields" : {
+        "accept_slo" : $SLO_SUPPORT,
+        "accepted_name_id_format" : "transient,persistent",
+        "ask_user_consent" : false,
+        "authn_request_signed" : false,
+        "default_name_id_format" : "transient",
+        "enabled" : true,
+        "encrypt_assertion" : false,
+        "encrypt_nameid" : false,
+        "federation_mode" : 0,
+        "forward_slo" : true,
+        "http_method_for_slo_request" : 4,
+        "idp_initiated_sso" : $SLO_SUPPORT,
+        "iframe_logout_timeout" : 300,
+        "name" : "Default",
+        "needs_iframe_logout" : false,
+        "prefered_assertion_consumer_binding" : "meta"
+      }
+}]
+EOF
+
+chmod +r $FIXTURE_TMP
+chmod +r $METADATA_TMP
+
+# Load fixture
+/usr/bin/authentic2-ctl loaddata -v0 $FIXTURE_TMP
+
+# Load metadata
+/usr/bin/authentic2-ctl sync-metadata --source=$SOURCE --sp -v1 $METADATA_TMP
+}
+
+for config in /etc/authentic2/federations.d/*.sh; do
+	METADATA=
+	SOURCE=
+	. $config
+	load_meta "$METADATA" "$SOURCE"
+done