entrouvert
/
authentic2-supann
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity
This repository has been archived on 2023-02-21. You can view files and clone it, but cannot push or open issues or pull requests.
authentic2-supann/update-renater-meta.sh

96 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
DEFAULT="/etc/default/authentic2"
BASEDIR=`dirname $0`
METADATA_TMP=`tempfile`
FILTERS_TMP=`tempfile`
CERTIFICATE_TMP=`tempfile`
FIXTURE_TMP=`tempfile --suffix=.json`
function cleanup {
rm -f $METADATA_TMP $FILTERS_TMP $CERTIFICATE_TMP $FIXTURE_TMP
}
trap "cleanup" EXIT
if [ -f ]; then
. /etc/default/authentic2
else
. $BASEDIR/`basename $DEFAULT`
fi
if ! wget --tries=2 --timeout=3 --quiet $RENATER_METADATA -O$METADATA_TMP; then
echo ERROR: unable to retrieve metadata from $RENATER_METADATA
exit 1
fi
if ! wget --tries=2 --timeout=3 --quiet $RENATER_ATTRIBUTE_FILTERS -O$FILTERS_TMP; then
echo ERROR: unable to retrieve attribute filters from $RENATER_ATTRIBUTE_FILTERS
exit 1
fi
if ! wget --tries=2 --timeout=3 --quiet $RENATER_CERTIFICATE -O$CERTIFICATE_TMP; then
echo ERROR: unable to retrieve Renater metadata signing certificate from $RENATER_CERTIFICATE
exit 1
fi
if ! xmllint $METADATA_TMP >/dev/null; then
echo ERROR: xmllint failed on renater metadata
exit 1
fi
if ! xmllint $FILTERS_TMP >/dev/null; then
echo ERROR: xmllint failed on renater attribute filters
exit 1
fi
# Verify metadata signature
if ! xmlsec1 --verify --id-attr:ID EntitiesDescriptor --pubkey-cert-pem $CERTIFICATE_TMP --enabled-key-data key-name $METADATA_TMP 2>/dev/null >/dev/null; then
echo ERROR: unable to validate signature on $RENATER_METADATA
exit 1
fi
if [ "$ALLOW_SLO" = "0" ]; then
SLO_SUPPORT=false
else
SLO_SUPPORT=true
fi
# Build fixture
cat <<EOF >$FIXTURE_TMP
[
{
"model": "saml.spoptionsidppolicy",
"fields" : {
"accept_slo" : $SLO_SUPPORT,
"accepted_name_id_format" : "transient,persistent",
"ask_user_consent" : false,
"authn_request_signed" : false,
"default_name_id_format" : "transient",
"enabled" : true,
"encrypt_assertion" : false,
"encrypt_nameid" : false,
"federation_mode" : 0,
"forward_slo" : true,
"http_method_for_slo_request" : 4,
"idp_initiated_sso" : $SLO_SUPPORT,
"iframe_logout_timeout" : 300,
"name" : "Default",
"needs_iframe_logout" : false,
"prefered_assertion_consumer_binding" : "meta"
}
}]
EOF
# Fix wrong naming of email attribute
sed -i 's/\<email\>/mail/' $FILTERS_TMP
# Load fixture
/etc/init.d/authentic2 manage loaddata -v0 $FIXTURE_TMP
# Load metadataas
/etc/init.d/authentic2 manage sync-metadata --source=renater --shibboleth-attribute-filter-policy=$FILTERS_TMP --sp -v1 $METADATA_TMP
View Git Blame Copy Permalink