From 8489c8b9b02aa3294ca817a0a093a48b132ef634 Mon Sep 17 00:00:00 2001
From: Paul Marillonnet <pmarillonnet@entrouvert.com>
Date: Mon, 16 Oct 2017 19:19:08 +0200
Subject: [PATCH] load multiple federation files (#19400)

---
 debian/cron.d                             |  2 +-
 debian/dirs                               |  2 +
 debian/install                            |  5 ++
 federations.d-examples/01-renater.sh      |  2 +
 federations.d-examples/02-edugain.sh      |  2 +
 federations.d-examples/03-renater-test.sh |  2 +
 federations.d/README                      |  9 +++
 load-multiple-federations.sh              | 82 +++++++++++++++++++++++
 8 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 federations.d-examples/01-renater.sh
 create mode 100644 federations.d-examples/02-edugain.sh
 create mode 100644 federations.d-examples/03-renater-test.sh
 create mode 100644 federations.d/README
 create mode 100755 load-multiple-federations.sh

diff --git a/debian/cron.d b/debian/cron.d
index 1db9cdf..96ae901 100644
--- a/debian/cron.d
+++ b/debian/cron.d
@@ -2,5 +2,5 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
 MAILTO=root
 
-*/30 * * * * authentic /usr/lib/authentic2-supann/update-renater-meta.sh
+*/30 * * * * authentic /usr/lib/authentic2-supann/load-multiple-federations.sh
 
diff --git a/debian/dirs b/debian/dirs
index cbc75b7..8bad029 100644
--- a/debian/dirs
+++ b/debian/dirs
@@ -1,2 +1,4 @@
 /usr/lib/authentic2-supann
 /etc/apache2/sites-available
+/etc/authentic2/federations.d
+/usr/share/doc/authentic2-supann/federations.d-examples
diff --git a/debian/install b/debian/install
index 58031cc..ae7ad87 100644
--- a/debian/install
+++ b/debian/install
@@ -1,4 +1,9 @@
 config.py /etc/authentic2
 update-renater-meta.sh /usr/lib/authentic2-supann
+load-multiple-federations.sh /usr/lib/authentic2-supann
 supann.conf /etc/authentic2
 authentic2-supann.conf /etc/apache2/sites-available
+federations.d-examples/01-renater.sh /usr/share/doc/authentic2-supann/federations.d-examples
+federations.d-examples/02-edugain.sh /usr/share/doc/authentic2-supann/federations.d-examples
+federations.d-examples/03-renater-test.sh /usr/share/doc/authentic2-supann/federations.d-examples
+federations.d/README /etc/authentic2/federations.d
diff --git a/federations.d-examples/01-renater.sh b/federations.d-examples/01-renater.sh
new file mode 100644
index 0000000..2b18cb4
--- /dev/null
+++ b/federations.d-examples/01-renater.sh
@@ -0,0 +1,2 @@
+METADATA=https://metadata.federation.renater.fr/renater/main/main-sps-renater-metadata.xml
+SOURCE=renater
diff --git a/federations.d-examples/02-edugain.sh b/federations.d-examples/02-edugain.sh
new file mode 100644
index 0000000..2a44253
--- /dev/null
+++ b/federations.d-examples/02-edugain.sh
@@ -0,0 +1,2 @@
+METADATA=https://federation.renater.fr/edugain/idps-edugain-metadata.xml
+SOURCE=edugain
diff --git a/federations.d-examples/03-renater-test.sh b/federations.d-examples/03-renater-test.sh
new file mode 100644
index 0000000..16aa506
--- /dev/null
+++ b/federations.d-examples/03-renater-test.sh
@@ -0,0 +1,2 @@
+METADATA=https://metadata.federation.renater.fr/test/preview/preview-idps-renater-test-metadata.xml
+SOURCE=renater-test
diff --git a/federations.d/README b/federations.d/README
new file mode 100644
index 0000000..6753884
--- /dev/null
+++ b/federations.d/README
@@ -0,0 +1,9 @@
+This directory should contain configuration files used for loading federations
+in authentic2. These files should be Bash scripts (they must bear a '.sh'
+extension), and they should declare two variables:
+- METADATA: the XML metadata file.
+- SOURCE: a keyword entry (e.g. 'renater, 'edugain') for authentic2 to handle
+this federation.
+
+Sample files are located at
+/usr/share/doc/authentic2-supann/federations.d-examples
diff --git a/load-multiple-federations.sh b/load-multiple-federations.sh
new file mode 100755
index 0000000..3f32ab0
--- /dev/null
+++ b/load-multiple-federations.sh
@@ -0,0 +1,82 @@
+#!/bin/bash
+
+function load_meta() {
+set -e
+
+DEFAULT="/etc/default/authentic2"
+BASEDIR=`dirname $0`
+METADATA_TMP=`tempfile`
+FIXTURE_TMP=`tempfile --suffix=.json`
+TIMEOUT=30
+
+function cleanup {
+	rm -f $METADATA_TMP $FIXTURE_TMP
+}
+
+trap "cleanup" EXIT
+
+if [ -f  ]; then
+	. /etc/default/authentic2
+else
+	. $BASEDIR/`basename $DEFAULT`
+fi
+
+if ! wget --tries=3 --timeout=$TIMEOUT --quiet $METADATA -O$METADATA_TMP; then
+	echo ERROR: unable to retrieve metadata from $METADATA
+	exit 1
+fi
+
+if ! xmllint $METADATA_TMP >/dev/null; then
+	echo ERROR: xmllint failed on $SOURCE metadata
+	exit 1
+fi
+
+if [ "$ALLOW_SLO" = "0" ]; then
+	SLO_SUPPORT=false
+else
+	SLO_SUPPORT=true
+fi
+
+
+# Build fixture
+cat <<EOF >$FIXTURE_TMP
+[
+{
+    "model": "saml.spoptionsidppolicy",
+    "fields" : {
+        "accept_slo" : $SLO_SUPPORT,
+        "accepted_name_id_format" : "transient,persistent",
+        "ask_user_consent" : false,
+        "authn_request_signed" : false,
+        "default_name_id_format" : "transient",
+        "enabled" : true,
+        "encrypt_assertion" : false,
+        "encrypt_nameid" : false,
+        "federation_mode" : 0,
+        "forward_slo" : true,
+        "http_method_for_slo_request" : 4,
+        "idp_initiated_sso" : $SLO_SUPPORT,
+        "iframe_logout_timeout" : 300,
+        "name" : "Default",
+        "needs_iframe_logout" : false,
+        "prefered_assertion_consumer_binding" : "meta"
+      }
+}]
+EOF
+
+chmod +r $FIXTURE_TMP
+chmod +r $METADATA_TMP
+
+# Load fixture
+/usr/bin/authentic2-ctl loaddata -v0 $FIXTURE_TMP
+
+# Load metadata
+/usr/bin/authentic2-ctl sync-metadata --source=$SOURCE --sp -v1 $METADATA_TMP
+}
+
+for config in /etc/authentic2/federations.d/*.sh; do
+	METADATA=
+	SOURCE=
+	. $config
+	load_meta "$METADATA" "$SOURCE"
+done