Leverage probe_saml_idp_endpoint function

InCommon · Dec 21, 2016 · 0ddf2f9 · 0ddf2f9
1 parent ca418b7
commit 0ddf2f9
Showing 1 changed file with 34 additions and 82 deletions.
diff --git a/bin/probe_saml_idp.sh b/bin/probe_saml_idp.sh
@@ -16,7 +16,7 @@
 # limitations under the License.
 #######################################################################
 
-script_version="0.2"
+script_version="0.3"
 user_agent_string="SAML IdP Probe ${script_version}"
 
 #######################################################################
@@ -39,7 +39,7 @@ display_help () {
 	   -t      Allowed time (in secs) to connect to the host
 	   -m      Maximum time (in secs) of a complete probe
 	   -r      Maximum number of HTTP redirects followed
-	   -a      Probe all SAML endpoints, including SAML1 endpoints
+	   -a      Probe all SAML endpoints
 
 	Option -h is mutually exclusive of all other options. Options
 	-q and -v are mutually exclusive of each other. Options -u and -f 
@@ -58,11 +58,11 @@ display_help () {
 	beyond the TCP connect time. Any value less than the TCP connect
 	time causes the script to immediately fail.
 	
-	By default, the script probes all SAML2 browser-facing SSO
-	endpoints in IdP metadata. There are at most three (3) such
-	endpoints. Use option -a to probe all SAML1 browser-facing SSO 
-	endpoints as well. There is at most one such additional endpoint 
-	in metadata.
+	By default, the script probes the SAML2 HTTP-Redirect and HTTP-POST 
+	endpoints in IdP metadata. Use option -a to probe all SAML browser-
+	facing SSO endpoints in metadata, including the SAML2 HTTP-POST-SimpleSign 
+	endpoint and any SAML1 endpoint that might be present. The script 
+	probes at most one endpoint of each type.
 	
 	CONFIG
 	
@@ -92,15 +92,13 @@ display_help () {
 	SAML AuthnRequest transmitted to the IdP contains the values of 
 	these parameters. Note: An IdP reacts differently to requests 
 	from different SPs. Changing the values of these parameters may
-	produce different probe results.
+	produce different results.
 	
 	Similarly, the three SAML1_SP parameters define a SAML1 SP, that
 	is, an SP with a SAML1 browser-facing endpoint in metadata. (Any
 	given SP may support both SAML2 and SAML1, in which case the
-	SAML1_SP_ENTITY_ID parameter may be identical to the
-	SAML2_SP_ENTITY_ID parameter.) The script probes SAML1 endpoints 
-	if the -a option is given on the command line. Omit that option
-	to probe SAML2 endpoints only.
+	SAML1_SP_ENTITY_ID config parameter may be identical to the
+	SAML2_SP_ENTITY_ID parameter.)
 HELP_MSG
 }
 
@@ -147,6 +145,9 @@ done
 # basic curl defaults
 connect_timeout_default=2; max_redirs_default=7
 
+# default binding URIs
+binding_uris_default="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+
 # default config file
 config_file_default="${script_bin}/.config_saml_idp_probe.sh"
 
@@ -157,7 +158,7 @@ config_file_default="${script_bin}/.config_saml_idp_probe.sh"
 help_mode=false; quiet_mode=false; verbose_mode=false
 local_opts=; curl_opts=
 connect_timeout=; max_time=; max_redirs=
-saml1_disabled=true
+binding_uris="$binding_uris_default"
 while getopts ":hqvt:m:r:a" opt; do
 	case $opt in
 		h)
@@ -186,7 +187,8 @@ while getopts ":hqvt:m:r:a" opt; do
 			curl_opts="$curl_opts -r $OPTARG"
 			;;
 		a)
-			saml1_disabled=false
+			binding_uris="$binding_uris urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+			binding_uris="$binding_uris urn:mace:shibboleth:1.0:profiles:AuthnRequest"
 			;;
 		\?)
 			echo "ERROR: $script_name: Unrecognized option: -$OPTARG" >&2
@@ -205,8 +207,10 @@ if $help_mode; then
 fi
 
 # redirect stdout and stderr to the bit bucket
-$quiet_mode && exec 1>/dev/null
-$quiet_mode && exec 2>/dev/null
+if $quiet_mode; then
+	exec 1>/dev/null
+	exec 2>/dev/null
+fi
 
 # check consistency of timeout options
 if [ -n "$max_time" -a -z "$connect_timeout" ]; then
@@ -380,17 +384,19 @@ endpoints=$( echo "$entityDescriptor" \
 	| $_GREP -E '<(md:)?SingleSignOnService '
 )
 
-# iterate over the SAML2 browser-facing SSO endpoints
-has_no_saml2_http_endpoints=true
-http_bindings="Redirect POST POST-SimpleSign"
-for http_binding in $http_bindings; do
+# iterate over a subset of browser-facing SSO endpoints
+has_no_saml_http_endpoints=true
+for binding_uri in $binding_uris; do
 
 	# compute the SAML2 SSO endpoint
 	endpoint=$( echo "$endpoints" \
-		| $_GREP -F -m 1 ' Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-'$http_binding'"'
+		| $_GREP -F -m 1 ' Binding="'$binding_uri'"'
 	)
-	[ -z "$endpoint" ] && continue
-	has_no_saml2_http_endpoints=false
+	if [ -z "$endpoint" ]; then
+		$verbose_mode && printf "$script_name: no endpoint with Binding=\"%s\"\n" "$binding"
+		continue
+	fi
+	has_no_saml_http_endpoints=false
 
 	# compute the endpoint location and binding
 	location=$( echo "$endpoint" \
@@ -401,16 +407,8 @@ for http_binding in $http_bindings; do
 	)
 	$verbose_mode && printf "$script_name probing endpoint with Location=\"%s\" and Binding=\"%s\"\n" "$location" "$binding"
 
-	# construct the SAML message
-	saml_message=$( construct_SAML2_AuthnRequest $location )
-	exit_status=$?
-	if [ "$exit_status" -ne 0 ]; then
-		echo "ERROR: $script_name: construct_SAML2_AuthnRequest failed ($exit_status)" >&2
-		exit 3
-	fi
-
 	# create temporary subdirectory if necessary
-	tmp_subdir="$tmp_dir/${http_binding}_SSO"
+	tmp_subdir="$tmp_dir/${binding_uri##*:}"
 	if [ ! -d "$tmp_subdir" ]; then
 		/bin/mkdir "$tmp_subdir"
 		exit_status=$?
@@ -421,11 +419,11 @@ for http_binding in $http_bindings; do
 	fi
 
 	# probe the endpoint
-	output=$( probe_saml2_idp_endpoint $curl_opts \
+	output=$( probe_saml_idp_endpoint $curl_opts \
 		-V "$tmp_subdir/curl_trace.txt" \
 		-o "$tmp_subdir/idp_http_response.html" \
 		-T "$tmp_subdir" \
-		$location $binding "$saml_message"
+		$location $binding SingleSignOnService
 	)
 	exit_status=$?
 	if [ "$exit_status" -ne 0 ]; then
@@ -437,54 +435,8 @@ for http_binding in $http_bindings; do
 
 done
 
-if $has_no_saml2_http_endpoints; then
-	echo "WARNING: $script_name: no SAML2 HTTP endpoints to probe" >&2
-fi
-
-$saml1_disabled && exit 0
-
-# compute the Shibboleth SSO endpoint
-endpoint=$( echo "$endpoints" \
-	| $_GREP -F -m 1 ' Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"'
-)
-if [ -z "$endpoint" ]; then
-	echo "WARNING: $script_name: no SAML1 HTTP endpoint to probe" >&2
-	exit 0
-fi
-
-# compute the endpoint location and binding
-location=$( echo "$endpoint" \
-	| $_SED -e 's/^.* Location="\([^"]*\)".*$/\1/'
-)
-binding=$( echo "$endpoint" \
-	| $_SED -e 's/^.* Binding="\([^"]*\)".*$/\1/'
-)
-$verbose_mode && printf "$script_name probing endpoint with Location=\"%s\" and Binding=\"%s\"\n" "$location" "$binding"
-
-# create temporary subdirectory if necessary
-tmp_subdir="$tmp_dir/Shibboleth_SSO"
-if [ ! -d "$tmp_subdir" ]; then
-	/bin/mkdir "$tmp_subdir"
-	exit_status=$?
-	if [ $exit_status -ne 0 ]; then
-		echo "ERROR: $script_name failed to create tmp dir ($exit_status) $tmp_subdir" >&2
-		exit 3
-	fi
-fi
-
-# probe the endpoint
-output=$( probe_shibboleth_sso_endpoint $curl_opts \
-	-V "$tmp_subdir/curl_trace.txt" \
-	-o "$tmp_subdir/idp_http_response.html" \
-	-T "$tmp_subdir" \
-	$location $binding
-)
-exit_status=$?
-if [ "$exit_status" -ne 0 ]; then
-	echo "ERROR: $script_name: probe_shibboleth_sso_endpoint failed ($exit_status)" >&2
-	exit 3
+if $has_no_saml_http_endpoints; then
+	echo "WARNING: $script_name: no SAML HTTP endpoints to probe" >&2
 fi
 
-echo "$output $entityID $registrarID"
-
 exit 0