From 4e9ac0208fe0c879977a902f2968c6f1ce87507a Mon Sep 17 00:00:00 2001 From: Tom Scavo Date: Tue, 20 Dec 2016 10:50:42 -0500 Subject: [PATCH] Move probe_saml_idp.sh to a new project --- bin/probe_saml_idp.sh | 448 ------------------------------------------ install.sh | 1 - 2 files changed, 449 deletions(-) delete mode 100755 bin/probe_saml_idp.sh diff --git a/bin/probe_saml_idp.sh b/bin/probe_saml_idp.sh deleted file mode 100755 index ebfe567..0000000 --- a/bin/probe_saml_idp.sh +++ /dev/null @@ -1,448 +0,0 @@ -#!/bin/bash - -####################################################################### -# Copyright 2016 Internet2 -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -####################################################################### - -script_version="0.1" -user_agent_string="SAML IdP Probe ${script_version}" - -####################################################################### -# help message -####################################################################### - -display_help () { -/bin/cat <<- HELP_MSG - ${user_agent_string} - - Given a single identifier, assumed to be an IdP entityID, probe - all browser-facing SSO endpoints in IdP metadata. - - Usage: ${0##*/} [-hvq] [-1] [-t CONNECT_TIME [-m MAX_TIME]] [-r MAX_REDIRS] ID - - Options: - -h Display this message - -v Write verbose messages to stdout - -q Run quietly (i.e., write no messages to stdout) - -1 Probe SAML1 endpoint(s) in addition to SAML2 - -t Allowed time (in secs) to connect to the host - -m Maximum time (in secs) of a complete probe - -r Maximum number of HTTP redirects followed - - Option -h is mutually exclusive of all other options. Options - -q and -v are mutually exclusive of each other. Options -u and -f - are mutually exclusive of each other as well. - - The argument of the -t option is the TCP connect time, that is, - the maximum time (in secs) allotted to obtain a TCP connection. - Note that the TCP connect time includes the time it takes to do - a DNS name lookup. Since the latter is unconstrained, it may - consume all available TCP connect time. Thus the TCP connect - time should be kept small (on the order of a few seconds) since - larger values will slow this script considerably. - - The argument of the -m option is the maximum total time (in secs) - allotted to each probe. A reasonable value is a few seconds - beyond the TCP connect time. Any value less than the TCP connect - time causes the script to immediately fail. - - CONFIGURATION - - Entity metadata is required to process each identifier. Metadata is - obtained by consulting a Metadata Query Server just-in-time. - - ...(MDQ_BASE_URL), the base - URL of a Metadata Query Server (i.e., a server that conforms to the - Metadata Query Protocol). The base URL is used to construct an MDQ - request URL, which the script uses to request entity metadata - just-in-time. -HELP_MSG -} - -####################################################################### -# Bootstrap -####################################################################### - -script_bin=${0%/*} # equivalent to dirname $0 -script_name=${0##*/} # equivalent to basename $0 - -# determine the source lib directory -if [ -z "$LIB_DIR" ]; then - echo "ERROR: $script_name requires env var LIB_DIR" >&2 - exit 2 -fi -if [ ! -d "$LIB_DIR" ]; then - echo "ERROR: $script_name: LIB_DIR does not exist: $LIB_DIR" >&2 - exit 2 -fi - -# library filenames (always list command_paths first) -LIB_FILENAMES="command_paths.sh -compatible_mktemp.sh -http_tools.sh -md_tools.sh -saml_tools.sh -config_tools.sh" - -# source lib files -for lib_filename in $LIB_FILENAMES; do - lib_file="$LIB_DIR/$lib_filename" - if [ ! -f "$lib_file" ]; then - echo "ERROR: $script_name: lib file does not exist: $lib_file" >&2 - exit 2 - fi - source "$lib_file" - status_code=$? - if [ $status_code -ne 0 ]; then - echo "ERROR: $script_name failed to source lib file ($status_code) $lib_file" >&2 - exit 2 - fi -done - -# basic curl defaults -connect_timeout_default=2; max_redirs_default=7 - -# default config file -config_file_default="${script_bin}/.config" - -####################################################################### -# Process command-line options and arguments -####################################################################### - -help_mode=false; quiet_mode=false; verbose_mode=false -saml1_disabled=true -local_opts=; connect_timeout=; max_time=; max_redirs= -curl_opts= -while getopts ":hqv1t:m:r:" opt; do - case $opt in - h) - help_mode=true - ;; - q) - quiet_mode=true - verbose_mode=false - #local_opts="$local_opts -$opt" - ;; - 1) - saml1_disabled=false - ;; - v) - quiet_mode=false - verbose_mode=true - local_opts="$local_opts -$opt" - ;; - t) - connect_timeout="$OPTARG" - curl_opts="$curl_opts -t $OPTARG" - ;; - m) - max_time="$OPTARG" - curl_opts="$curl_opts -m $OPTARG" - ;; - r) - max_redirs="$OPTARG" - curl_opts="$curl_opts -r $OPTARG" - ;; - \?) - echo "ERROR: $script_name: Unrecognized option: -$OPTARG" >&2 - exit 2 - ;; - :) - echo "ERROR: $script_name: Option -$OPTARG requires an argument" >&2 - exit 2 - ;; - esac -done - -if $help_mode; then - display_help - exit 0 -fi - -# redirect stdout and stderr to the bit bucket -$quiet_mode && exec 1>/dev/null -$quiet_mode && exec 2>/dev/null - -# check consistency of timeout options -if [ -n "$max_time" -a -z "$connect_timeout" ]; then - echo "ERROR: $script_name: the -m option requires the presence of the -t option" >&2 - exit 2 -fi - -# set default connect timeout if necessary -if [ -z "$connect_timeout" ]; then - connect_timeout=$connect_timeout_default - curl_opts="$curl_opts -t $connect_timeout" -else - if [ "$connect_timeout" -le 0 ] ; then - echo "ERROR: $script_name: connect timeout ($connect_timeout) must be a positive integer" >&2 - exit 2 - fi -fi - -# compute max time if necessary -if [ -z "$max_time" ]; then - max_time=$(( connect_timeout + 2 )) - curl_opts="$curl_opts -m $max_time" -else - if [ "$max_time" -le "$connect_timeout" ]; then - echo "ERROR: $script_name: max time ($max_time) must be greater than the connect timeout ($connect_timeout)" >&2 - exit 2 - fi -fi - -# check maximum number of redirects -if [ -z "$max_redirs" ]; then - max_redirs=$max_redirs_default - curl_opts="$curl_opts -r $max_redirs" -fi - -if $verbose_mode; then - printf "$script_name using connect timeout: %d secs\n" $connect_timeout - printf "$script_name using max time: %d secs\n" $max_time - printf "$script_name using max redirects: %d\n" $max_redirs -fi - -# TODO: implement new option -config_file="$config_file_default" -$verbose_mode && echo "$script_name using config file $config_file" - -# determine the entityID -shift $(( OPTIND - 1 )) -if [ $# -ne 1 ]; then - echo "ERROR: $script_name: wrong number of arguments: $# (1 required)" >&2 - exit 2 -fi -if [ -z "$1" ] ; then - echo "ERROR: $script_name: empty string" >&2 - exit 2 -fi -entityID="$1" -$verbose_mode && echo "$script_name using entityID $entityID" - -##################################################################### -# Initialization -##################################################################### - -if $verbose_mode; then - printf "$script_name using source lib directory: %s\n" "$LIB_DIR" - for lib_filename in $LIB_FILENAMES; do - lib_file="$LIB_DIR/$lib_filename" - printf "$script_name sourcing lib file: %s\n" "$lib_file" - done -fi - -# determine temporary directory -if [ -n "$TMP_DIR" ] && [ -d "$TMP_DIR" ]; then - $verbose_mode && printf "$script_name using existing temporary dir: %s\n" "$TMP_DIR" - # use existing temporary directory (remove trailing slash) - tmp_dir="${TMP_DIR%%/}/probe_saml_idp_$$" -elif [ -n "$TMPDIR" ] && [ -d "$TMPDIR" ]; then - $verbose_mode && printf "$script_name using system temporary dir: %s\n" "$TMPDIR" - # use system temporary directory (remove trailing slash) - tmp_dir="${TMPDIR%%/}/probe_saml_idp_$$" -else - # create temporary directory - new_dir="$( make_temp_file -d )" - if [ ! -d "$new_dir" ] ; then - printf "ERROR: $script_name unable to create temporary dir\n" >&2 - exit 2 - fi - $verbose_mode && printf "$script_name using new temporary dir: %s\n" "$new_dir" - # use new temporary directory (remove trailing slash) - tmp_dir="${new_dir%%/}/probe_saml_idp_$$" -fi - -# every run of this script gets its own subdir -if [ -d "$tmp_dir" ]; then - echo "ERROR: $script_name: directory already exists: $tmp_dir" >&2 - exit 2 -fi - -# create temporary directory if necessary -$verbose_mode && printf "$script_name creating temporary subdir: %s\n" "$tmp_dir" -/bin/mkdir "$tmp_dir" -status_code=$? -if [ $status_code -ne 0 ]; then - echo "ERROR: $script_name failed to create tmp dir ($status_code) $tmp_dir" >&2 - exit 2 -fi - -# load config file -$verbose_mode && echo "$script_name loading config file $config_file" -load_config $local_opts "$config_file" -status_code=$? -if [ $status_code -ne 0 ]; then - echo "ERROR: $script_name failed to load $config_file" >&2 - exit 2 -fi - -# validate config parameters -if [ -z "$MDQ_BASE_URL" ]; then - echo "ERROR: $script_name requires config param MDQ_BASE_URL" >&2 - exit 2 -fi -if [ -z "$SAML2_SP_ENTITY_ID" ]; then - echo "ERROR: $script_name requires config param SAML2_SP_ENTITY_ID" >&2 - exit 2 -fi -if [ -z "$SAML2_SP_ACS_URL" ]; then - echo "ERROR: $script_name requires config param SAML2_SP_ACS_URL" >&2 - exit 2 -fi -if [ -z "$SAML2_SP_ACS_BINDING" ]; then - echo "ERROR: $script_name requires config param SAML2_SP_ACS_BINDING" >&2 - exit 2 -fi -if [ -z "$SAML1_SP_ENTITY_ID" ]; then - echo "ERROR: $script_name requires config param SAML1_SP_ENTITY_ID" >&2 - exit 2 -fi -if [ -z "$SAML1_SP_ACS_URL" ]; then - echo "ERROR: $script_name requires config param SAML1_SP_ACS_URL" >&2 - exit 2 -fi -if [ -z "$SAML1_SP_ACS_BINDING" ]; then - echo "ERROR: $script_name requires config param SAML1_SP_ACS_BINDING" >&2 - exit 2 -fi - -##################################################################### -# Main processing -##################################################################### - -# get entity metadata -entityDescriptor=$( getEntityFromServer -T "$tmp_dir" -u "$MDQ_BASE_URL" $entityID ) -exit_status=$? -if [ "$exit_status" -ne 0 ]; then - echo "ERROR: $script_name: unable to obtain metadata for entityID: $entityID" >&2 - exit 3 -fi - -# extract the registrar ID from the entity descriptor -registrarID=$( echo "$entityDescriptor" \ - | $_GREP -F -m 1 ' registrationAuthority=' \ - | $_SED -e 's/^.* registrationAuthority="\([^"]*\)".*$/\1/' -) - -# compute all SSO endpoints -endpoints=$( echo "$entityDescriptor" \ - | $_GREP -E '<(md:)?SingleSignOnService ' -) - -# iterate over the SAML2 browser-facing SSO endpoints -http_bindings="Redirect POST POST-SimpleSign" -for http_binding in $http_bindings; do - - # compute the SAML2 SSO endpoint - endpoint=$( echo "$endpoints" \ - | $_GREP -F -m 1 ' Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-'$http_binding'"' - ) - [ -z "$endpoint" ] && continue - - # compute the endpoint location and binding - location=$( echo "$endpoint" \ - | $_SED -e 's/^.* Location="\([^"]*\)".*$/\1/' - ) - binding=$( echo "$endpoint" \ - | $_SED -e 's/^.* Binding="\([^"]*\)".*$/\1/' - ) - $verbose_mode && printf "$script_name probing endpoint with Location=\"%s\" and Binding=\"%s\"\n" "$location" "$binding" - - # construct the SAML message - saml_message=$( construct_SAML2_AuthnRequest $location ) - exit_status=$? - if [ "$exit_status" -ne 0 ]; then - echo "ERROR: $script_name: construct_SAML2_AuthnRequest failed ($exit_status)" >&2 - exit 3 - fi - - # create temporary subdirectory if necessary - tmp_subdir="$tmp_dir/${http_binding}_SSO" - if [ ! -d "$tmp_subdir" ]; then - /bin/mkdir "$tmp_subdir" - exit_status=$? - if [ $exit_status -ne 0 ]; then - echo "ERROR: $script_name failed to create tmp dir ($exit_status) $tmp_subdir" >&2 - exit 2 - fi - fi - - # probe the endpoint - output=$( probe_saml2_idp_endpoint \ - -t $connect_timeout -m $max_time -r $max_redirs \ - -V "$tmp_subdir/curl_trace.txt" \ - -o "$tmp_subdir/idp_http_response.html" \ - -T "$tmp_subdir" \ - $location $binding "$saml_message" - ) - exit_status=$? - if [ "$exit_status" -ne 0 ]; then - echo "ERROR: $script_name: probe_saml2_idp_endpoint failed ($exit_status)" >&2 - exit 3 - fi - - echo "$output $entityID $registrarID" - -done - -$saml1_disabled && exit 0 - -# compute the Shibboleth SSO endpoint -endpoint=$( echo "$endpoints" \ - | $_GREP -F -m 1 ' Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"' -) -if [ -z "$endpoint" ]; then - $verbose_mode && echo "$script_name: Shibboleth SSO endpoint not found" - exit 0 -fi - -# compute the endpoint location and binding -location=$( echo "$endpoint" \ - | $_SED -e 's/^.* Location="\([^"]*\)".*$/\1/' -) -binding=$( echo "$endpoint" \ - | $_SED -e 's/^.* Binding="\([^"]*\)".*$/\1/' -) -$verbose_mode && printf "$script_name probing endpoint with Location=\"%s\" and Binding=\"%s\"\n" "$location" "$binding" - -# create temporary subdirectory if necessary -tmp_subdir="$tmp_dir/Shibboleth_SSO" -if [ ! -d "$tmp_subdir" ]; then - /bin/mkdir "$tmp_subdir" - exit_status=$? - if [ $exit_status -ne 0 ]; then - echo "ERROR: $script_name failed to create tmp dir ($exit_status) $tmp_subdir" >&2 - exit 2 - fi -fi - -# probe the endpoint -output=$( probe_shibboleth_sso_endpoint \ - -t $connect_timeout -m $max_time -r $max_redirs \ - -V "$tmp_subdir/curl_trace.txt" \ - -o "$tmp_subdir/idp_http_response.html" \ - -T "$tmp_subdir" \ - $location $binding -) -exit_status=$? -if [ "$exit_status" -ne 0 ]; then - echo "ERROR: $script_name: probe_saml2_idp_endpoint failed ($exit_status)" >&2 - exit 3 -fi - -echo "$output $entityID $registrarID" - -exit 0 diff --git a/install.sh b/install.sh index 4b1d6a4..696dbed 100755 --- a/install.sh +++ b/install.sh @@ -93,7 +93,6 @@ while read script_file; do fi done <