From 4ef59a3827ee76c9456cef0e0766fe8ed807e535 Mon Sep 17 00:00:00 2001 From: Tom Scavo Date: Tue, 20 Dec 2016 14:01:02 -0500 Subject: [PATCH] Print warning if no endpoints to probe --- bin/probe_saml_idp.sh | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/bin/probe_saml_idp.sh b/bin/probe_saml_idp.sh index ce21f23..0c330f9 100755 --- a/bin/probe_saml_idp.sh +++ b/bin/probe_saml_idp.sh @@ -36,10 +36,10 @@ display_help () { -h Display this message -v Write verbose messages to stdout -q Run quietly (i.e., write no messages to stdout) - -a Probe all SAML endpoints, including SAML1 endpoint(s) -t Allowed time (in secs) to connect to the host -m Maximum time (in secs) of a complete probe -r Maximum number of HTTP redirects followed + -a Probe all SAML endpoints, including SAML1 endpoints Option -h is mutually exclusive of all other options. Options -q and -v are mutually exclusive of each other. Options -u and -f @@ -58,6 +58,12 @@ display_help () { beyond the TCP connect time. Any value less than the TCP connect time causes the script to immediately fail. + By default, the script probes all SAML2 browser-facing SSO + endpoints in IdP metadata. There are at most three (3) such + endpoints. Use option -a to probe all SAML1 browser-facing SSO + endpoints as well. There is at most one such additional endpoint + in metadata. + CONFIGURATION The script reads a file of config parameters. The script loads the @@ -152,7 +158,7 @@ help_mode=false; quiet_mode=false; verbose_mode=false saml1_disabled=true local_opts=; connect_timeout=; max_time=; max_redirs= curl_opts= -while getopts ":hqvat:m:r:" opt; do +while getopts ":hqvt:m:r:a" opt; do case $opt in h) help_mode=true @@ -162,9 +168,6 @@ while getopts ":hqvat:m:r:" opt; do verbose_mode=false #local_opts="$local_opts -$opt" ;; - a) - saml1_disabled=false - ;; v) quiet_mode=false verbose_mode=true @@ -182,6 +185,9 @@ while getopts ":hqvat:m:r:" opt; do max_redirs="$OPTARG" curl_opts="$curl_opts -r $OPTARG" ;; + a) + saml1_disabled=false + ;; \?) echo "ERROR: $script_name: Unrecognized option: -$OPTARG" >&2 exit 2 @@ -375,6 +381,7 @@ endpoints=$( echo "$entityDescriptor" \ ) # iterate over the SAML2 browser-facing SSO endpoints +has_no_saml2_http_endpoints=true http_bindings="Redirect POST POST-SimpleSign" for http_binding in $http_bindings; do @@ -383,6 +390,7 @@ for http_binding in $http_bindings; do | $_GREP -F -m 1 ' Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-'$http_binding'"' ) [ -z "$endpoint" ] && continue + has_no_saml2_http_endpoints=false # compute the endpoint location and binding location=$( echo "$endpoint" \ @@ -430,6 +438,10 @@ for http_binding in $http_bindings; do done +if $has_no_saml2_http_endpoints; then + echo "WARNING: $script_name: no SAML2 HTTP endpoints to probe" >&2 +fi + $saml1_disabled && exit 0 # compute the Shibboleth SSO endpoint @@ -437,7 +449,7 @@ endpoint=$( echo "$endpoints" \ | $_GREP -F -m 1 ' Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"' ) if [ -z "$endpoint" ]; then - $verbose_mode && echo "$script_name: Shibboleth SSO endpoint not found" + echo "WARNING: $script_name: no SAML1 HTTP endpoint to probe" >&2 exit 0 fi