Print warning if no endpoints to probe

InCommon · Dec 20, 2016 · 4ef59a3 · 4ef59a3
1 parent 4f9c789
commit 4ef59a3
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/bin/probe_saml_idp.sh b/bin/probe_saml_idp.sh
@@ -36,10 +36,10 @@ display_help () {
 	   -h      Display this message
 	   -v      Write verbose messages to stdout
 	   -q      Run quietly (i.e., write no messages to stdout)
-	   -a      Probe all SAML endpoints, including SAML1 endpoint(s)
 	   -t      Allowed time (in secs) to connect to the host
 	   -m      Maximum time (in secs) of a complete probe
 	   -r      Maximum number of HTTP redirects followed
+	   -a      Probe all SAML endpoints, including SAML1 endpoints
 
 	Option -h is mutually exclusive of all other options. Options
 	-q and -v are mutually exclusive of each other. Options -u and -f 
@@ -58,6 +58,12 @@ display_help () {
 	beyond the TCP connect time. Any value less than the TCP connect
 	time causes the script to immediately fail.
 	
+	By default, the script probes all SAML2 browser-facing SSO
+	endpoints in IdP metadata. There are at most three (3) such
+	endpoints. Use option -a to probe all SAML1 browser-facing SSO 
+	endpoints as well. There is at most one such additional endpoint 
+	in metadata.
+	
 	CONFIGURATION
 	
 	The script reads a file of config parameters. The script loads the 
@@ -152,7 +158,7 @@ help_mode=false; quiet_mode=false; verbose_mode=false
 saml1_disabled=true
 local_opts=; connect_timeout=; max_time=; max_redirs=
 curl_opts=
-while getopts ":hqvat:m:r:" opt; do
+while getopts ":hqvt:m:r:a" opt; do
 	case $opt in
 		h)
 			help_mode=true
@@ -162,9 +168,6 @@ while getopts ":hqvat:m:r:" opt; do
 			verbose_mode=false
 			#local_opts="$local_opts -$opt"
 			;;
-		a)
-			saml1_disabled=false
-			;;
 		v)
 			quiet_mode=false
 			verbose_mode=true
@@ -182,6 +185,9 @@ while getopts ":hqvat:m:r:" opt; do
 			max_redirs="$OPTARG"
 			curl_opts="$curl_opts -r $OPTARG"
 			;;
+		a)
+			saml1_disabled=false
+			;;
 		\?)
 			echo "ERROR: $script_name: Unrecognized option: -$OPTARG" >&2
 			exit 2
@@ -375,6 +381,7 @@ endpoints=$( echo "$entityDescriptor" \
 )
 
 # iterate over the SAML2 browser-facing SSO endpoints
+has_no_saml2_http_endpoints=true
 http_bindings="Redirect POST POST-SimpleSign"
 for http_binding in $http_bindings; do
 
@@ -383,6 +390,7 @@ for http_binding in $http_bindings; do
 		| $_GREP -F -m 1 ' Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-'$http_binding'"'
 	)
 	[ -z "$endpoint" ] && continue
+	has_no_saml2_http_endpoints=false
 
 	# compute the endpoint location and binding
 	location=$( echo "$endpoint" \
@@ -430,14 +438,18 @@ for http_binding in $http_bindings; do
 
 done
 
+if $has_no_saml2_http_endpoints; then
+	echo "WARNING: $script_name: no SAML2 HTTP endpoints to probe" >&2
+fi
+
 $saml1_disabled && exit 0
 
 # compute the Shibboleth SSO endpoint
 endpoint=$( echo "$endpoints" \
 	| $_GREP -F -m 1 ' Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"'
 )
 if [ -z "$endpoint" ]; then
-	$verbose_mode && echo "$script_name: Shibboleth SSO endpoint not found"
+	echo "WARNING: $script_name: no SAML1 HTTP endpoint to probe" >&2
 	exit 0
 fi