summaryrefslogtreecommitdiffstats
path: root/update-renater-meta.sh
blob: 1683b21e27ddd76673efbe2bcbfe4c8b0c0b1deb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/bin/bash

set -e

DEFAULT="/etc/default/authentic2"
BASEDIR=`dirname $0`
METADATA_TMP=`tempfile`
FILTERS_TMP=`tempfile`
CERTIFICATE_TMP=`tempfile`
FIXTURE_TMP=`tempfile --suffix=.json`

function cleanup {
	rm -f $METADATA_TMP $FILTERS_TMP $CERTIFICATE_TMP $FIXTURE_TMP
}

trap "cleanup" EXIT

if [ -f  ]; then
	. /etc/default/authentic2
else
	. $BASEDIR/`basename $DEFAULT`
fi

if ! wget --tries=2 --timeout=3 --quiet $RENATER_METADATA -O$METADATA_TMP; then
	echo ERROR: unable to retrieve metadata from $RENATER_METADATA
	exit 1
fi

if ! wget --tries=2 --timeout=3 --quiet $RENATER_ATTRIBUTE_FILTERS -O$FILTERS_TMP; then
	echo ERROR: unable to retrieve attribute filters from $RENATER_ATTRIBUTE_FILTERS
	exit 1
fi

if ! wget --tries=2 --timeout=3 --quiet $RENATER_CERTIFICATE -O$CERTIFICATE_TMP; then
	echo ERROR: unable to retrieve Renater metadata signing certificate from $RENATER_CERTIFICATE
	exit 1
fi

if ! xmllint $METADATA_TMP >/dev/null; then
	echo ERROR: xmllint failed on renater metadata
	exit 1
fi

if ! xmllint $FILTERS_TMP >/dev/null; then
	echo ERROR: xmllint failed on renater attribute filters
	exit 1
fi

# Verify metadata signature
if ! xmlsec1 --verify --id-attr:ID EntitiesDescriptor --pubkey-cert-pem $CERTIFICATE_TMP --enabled-key-data key-name $METADATA_TMP 2>/dev/null >/dev/null; then
	echo ERROR: unable to validate signature on $RENATER_METADATA
	exit 1
fi

if [ "$ALLOW_SLO" = "0" ]; then
	SLO_SUPPORT=false
else
	SLO_SUPPORT=true
fi


# Build fixture
cat <<EOF >$FIXTURE_TMP
[
{
    "model": "saml.spoptionsidppolicy",
    "fields" : {
        "accept_slo" : $SLO_SUPPORT,
        "accepted_name_id_format" : "transient,persistent",
        "ask_user_consent" : false,
        "authn_request_signed" : false,
        "default_name_id_format" : "transient",
        "enabled" : true,
        "encrypt_assertion" : false,
        "encrypt_nameid" : false,
        "federation_mode" : 0,
        "forward_slo" : true,
        "http_method_for_slo_request" : 4,
        "idp_initiated_sso" : $SLO_SUPPORT,
        "iframe_logout_timeout" : 300,
        "name" : "Default",
        "needs_iframe_logout" : false,
        "prefered_assertion_consumer_binding" : "meta"
      }
}]
EOF

# Fix wrong naming of email attribute
sed -i 's/\<email\>/mail/' $FILTERS_TMP

# Load fixture
/etc/init.d/authentic2-ctl loaddata -v0 $FIXTURE_TMP

# Load metadataas
/etc/init.d/authentic2-ctl sync-metadata --source=renater --shibboleth-attribute-filter-policy=$FILTERS_TMP --sp -v1 $METADATA_TMP