From 0ddf2f9a187733f9a69762b0fa2e079a5c03b2f5 Mon Sep 17 00:00:00 2001 From: Tom Scavo Date: Wed, 21 Dec 2016 13:00:01 -0500 Subject: [PATCH] Leverage probe_saml_idp_endpoint function --- bin/probe_saml_idp.sh | 116 +++++++++++++----------------------------- 1 file changed, 34 insertions(+), 82 deletions(-) diff --git a/bin/probe_saml_idp.sh b/bin/probe_saml_idp.sh index b88f186..f92df3a 100755 --- a/bin/probe_saml_idp.sh +++ b/bin/probe_saml_idp.sh @@ -16,7 +16,7 @@ # limitations under the License. ####################################################################### -script_version="0.2" +script_version="0.3" user_agent_string="SAML IdP Probe ${script_version}" ####################################################################### @@ -39,7 +39,7 @@ display_help () { -t Allowed time (in secs) to connect to the host -m Maximum time (in secs) of a complete probe -r Maximum number of HTTP redirects followed - -a Probe all SAML endpoints, including SAML1 endpoints + -a Probe all SAML endpoints Option -h is mutually exclusive of all other options. Options -q and -v are mutually exclusive of each other. Options -u and -f @@ -58,11 +58,11 @@ display_help () { beyond the TCP connect time. Any value less than the TCP connect time causes the script to immediately fail. - By default, the script probes all SAML2 browser-facing SSO - endpoints in IdP metadata. There are at most three (3) such - endpoints. Use option -a to probe all SAML1 browser-facing SSO - endpoints as well. There is at most one such additional endpoint - in metadata. + By default, the script probes the SAML2 HTTP-Redirect and HTTP-POST + endpoints in IdP metadata. Use option -a to probe all SAML browser- + facing SSO endpoints in metadata, including the SAML2 HTTP-POST-SimpleSign + endpoint and any SAML1 endpoint that might be present. The script + probes at most one endpoint of each type. CONFIG @@ -92,15 +92,13 @@ display_help () { SAML AuthnRequest transmitted to the IdP contains the values of these parameters. Note: An IdP reacts differently to requests from different SPs. Changing the values of these parameters may - produce different probe results. + produce different results. Similarly, the three SAML1_SP parameters define a SAML1 SP, that is, an SP with a SAML1 browser-facing endpoint in metadata. (Any given SP may support both SAML2 and SAML1, in which case the - SAML1_SP_ENTITY_ID parameter may be identical to the - SAML2_SP_ENTITY_ID parameter.) The script probes SAML1 endpoints - if the -a option is given on the command line. Omit that option - to probe SAML2 endpoints only. + SAML1_SP_ENTITY_ID config parameter may be identical to the + SAML2_SP_ENTITY_ID parameter.) HELP_MSG } @@ -147,6 +145,9 @@ done # basic curl defaults connect_timeout_default=2; max_redirs_default=7 +# default binding URIs +binding_uris_default="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + # default config file config_file_default="${script_bin}/.config_saml_idp_probe.sh" @@ -157,7 +158,7 @@ config_file_default="${script_bin}/.config_saml_idp_probe.sh" help_mode=false; quiet_mode=false; verbose_mode=false local_opts=; curl_opts= connect_timeout=; max_time=; max_redirs= -saml1_disabled=true +binding_uris="$binding_uris_default" while getopts ":hqvt:m:r:a" opt; do case $opt in h) @@ -186,7 +187,8 @@ while getopts ":hqvt:m:r:a" opt; do curl_opts="$curl_opts -r $OPTARG" ;; a) - saml1_disabled=false + binding_uris="$binding_uris urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" + binding_uris="$binding_uris urn:mace:shibboleth:1.0:profiles:AuthnRequest" ;; \?) echo "ERROR: $script_name: Unrecognized option: -$OPTARG" >&2 @@ -205,8 +207,10 @@ if $help_mode; then fi # redirect stdout and stderr to the bit bucket -$quiet_mode && exec 1>/dev/null -$quiet_mode && exec 2>/dev/null +if $quiet_mode; then + exec 1>/dev/null + exec 2>/dev/null +fi # check consistency of timeout options if [ -n "$max_time" -a -z "$connect_timeout" ]; then @@ -380,17 +384,19 @@ endpoints=$( echo "$entityDescriptor" \ | $_GREP -E '<(md:)?SingleSignOnService ' ) -# iterate over the SAML2 browser-facing SSO endpoints -has_no_saml2_http_endpoints=true -http_bindings="Redirect POST POST-SimpleSign" -for http_binding in $http_bindings; do +# iterate over a subset of browser-facing SSO endpoints +has_no_saml_http_endpoints=true +for binding_uri in $binding_uris; do # compute the SAML2 SSO endpoint endpoint=$( echo "$endpoints" \ - | $_GREP -F -m 1 ' Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-'$http_binding'"' + | $_GREP -F -m 1 ' Binding="'$binding_uri'"' ) - [ -z "$endpoint" ] && continue - has_no_saml2_http_endpoints=false + if [ -z "$endpoint" ]; then + $verbose_mode && printf "$script_name: no endpoint with Binding=\"%s\"\n" "$binding" + continue + fi + has_no_saml_http_endpoints=false # compute the endpoint location and binding location=$( echo "$endpoint" \ @@ -401,16 +407,8 @@ for http_binding in $http_bindings; do ) $verbose_mode && printf "$script_name probing endpoint with Location=\"%s\" and Binding=\"%s\"\n" "$location" "$binding" - # construct the SAML message - saml_message=$( construct_SAML2_AuthnRequest $location ) - exit_status=$? - if [ "$exit_status" -ne 0 ]; then - echo "ERROR: $script_name: construct_SAML2_AuthnRequest failed ($exit_status)" >&2 - exit 3 - fi - # create temporary subdirectory if necessary - tmp_subdir="$tmp_dir/${http_binding}_SSO" + tmp_subdir="$tmp_dir/${binding_uri##*:}" if [ ! -d "$tmp_subdir" ]; then /bin/mkdir "$tmp_subdir" exit_status=$? @@ -421,11 +419,11 @@ for http_binding in $http_bindings; do fi # probe the endpoint - output=$( probe_saml2_idp_endpoint $curl_opts \ + output=$( probe_saml_idp_endpoint $curl_opts \ -V "$tmp_subdir/curl_trace.txt" \ -o "$tmp_subdir/idp_http_response.html" \ -T "$tmp_subdir" \ - $location $binding "$saml_message" + $location $binding SingleSignOnService ) exit_status=$? if [ "$exit_status" -ne 0 ]; then @@ -437,54 +435,8 @@ for http_binding in $http_bindings; do done -if $has_no_saml2_http_endpoints; then - echo "WARNING: $script_name: no SAML2 HTTP endpoints to probe" >&2 -fi - -$saml1_disabled && exit 0 - -# compute the Shibboleth SSO endpoint -endpoint=$( echo "$endpoints" \ - | $_GREP -F -m 1 ' Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"' -) -if [ -z "$endpoint" ]; then - echo "WARNING: $script_name: no SAML1 HTTP endpoint to probe" >&2 - exit 0 -fi - -# compute the endpoint location and binding -location=$( echo "$endpoint" \ - | $_SED -e 's/^.* Location="\([^"]*\)".*$/\1/' -) -binding=$( echo "$endpoint" \ - | $_SED -e 's/^.* Binding="\([^"]*\)".*$/\1/' -) -$verbose_mode && printf "$script_name probing endpoint with Location=\"%s\" and Binding=\"%s\"\n" "$location" "$binding" - -# create temporary subdirectory if necessary -tmp_subdir="$tmp_dir/Shibboleth_SSO" -if [ ! -d "$tmp_subdir" ]; then - /bin/mkdir "$tmp_subdir" - exit_status=$? - if [ $exit_status -ne 0 ]; then - echo "ERROR: $script_name failed to create tmp dir ($exit_status) $tmp_subdir" >&2 - exit 3 - fi -fi - -# probe the endpoint -output=$( probe_shibboleth_sso_endpoint $curl_opts \ - -V "$tmp_subdir/curl_trace.txt" \ - -o "$tmp_subdir/idp_http_response.html" \ - -T "$tmp_subdir" \ - $location $binding -) -exit_status=$? -if [ "$exit_status" -ne 0 ]; then - echo "ERROR: $script_name: probe_shibboleth_sso_endpoint failed ($exit_status)" >&2 - exit 3 +if $has_no_saml_http_endpoints; then + echo "WARNING: $script_name: no SAML HTTP endpoints to probe" >&2 fi -echo "$output $entityID $registrarID" - exit 0