Commit f4d77d3f authored by Clément OUDOT's avatar Clément OUDOT

Fix import metadata script (#1503)

parent ce7629e8
......@@ -148,285 +148,282 @@ foreach my $idpConfKey ( keys %{ $lastConf->{samlIDPMetaDataXML} } ) {
"Existing SAML partner found: [IDP] $entityID ($idpConfKey)\n";
}
}
}
# Download metadata file
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
my $metadata_file = $opts{metadata};
if ( $opts{verbose} ) {
print "Try to download metadata file at $metadata_file\n";
}
my $response = $ua->get($metadata_file);
# Download metadata file
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
if ( $response->is_success ) {
if ( $opts{verbose} ) {
print "Metadata file found\n";
}
}
else {
die $response->status_line;
}
my $metadata_file = $opts{metadata};
my $dom = XML::LibXML->load_xml( string => $response->decoded_content );
# Check file signature
if ( $opts{certificate} ) {
my $certificate_file = $opts{certificate};
if ( $opts{verbose} ) {
print "Try to download metadata file at $metadata_file\n";
print "Try to download certificate file at $certificate_file\n";
}
my $response = $ua->get($metadata_file);
my $cert_response = $ua->get($certificate_file);
if ( $response->is_success ) {
if ( $cert_response->is_success ) {
if ( $opts{verbose} ) {
print "Metadata file found\n";
print "Certificate file found:\n"
. $cert_response->decoded_content . "\n";
}
}
else {
die $response->status_line;
die $cert_response->status_line;
}
my $dom = XML::LibXML->load_xml( string => $response->decoded_content );
# Check file signature
if ( $opts{certificate} ) {
my $certificate_file = $opts{certificate};
if ( $opts{verbose} ) {
print "Try to download certificate file at $certificate_file\n";
}
my $cert_response = $ua->get($certificate_file);
if ( $cert_response->is_success ) {
if ( $opts{verbose} ) {
print "Certificate file found:\n"
. $cert_response->decoded_content . "\n";
}
}
else {
die $cert_response->status_line;
}
if ( $opts{verbose} ) {
print "Check metadata signature with certificate";
}
# TODO
print STDERR "[WARN] Signature verification not yet implemented\n"
if $opts{warning};
if ( $opts{verbose} ) {
print "Check metadata signature with certificate";
}
# Remove extensions
foreach ( $dom->findnodes('//md:Extensions') ) { $_->unbindNode; }
# Browse all partners
foreach my $partner (
$dom->findnodes('/md:EntitiesDescriptor/md:EntityDescriptor') )
{
my $entityID = $partner->getAttribute('entityID');
# Add required XML namespaces
$partner->setNamespace( "urn:oasis:names:tc:SAML:2.0:metadata",
"md", 0 );
$partner->setNamespace( "urn:oasis:names:tc:SAML:2.0:assertion",
"saml", 0 );
$partner->setNamespace( "http://www.w3.org/2000/09/xmldsig#", "ds", 0 );
# Check IDP or SP
if ( my $idp = $partner->findnodes('./md:IDPSSODescriptor') ) {
$idpCounter->{found}++;
$mdIdpList->{$entityID} = 1;
# TODO
print STDERR "[WARN] Signature verification not yet implemented\n"
if $opts{warning};
}
# Check if SAML 2.0 is supported
if (
$partner->findnodes(
# Remove extensions
foreach ( $dom->findnodes('//md:Extensions') ) { $_->unbindNode; }
# Browse all partners
foreach
my $partner ( $dom->findnodes('/md:EntitiesDescriptor/md:EntityDescriptor') )
{
my $entityID = $partner->getAttribute('entityID');
# Add required XML namespaces
$partner->setNamespace( "urn:oasis:names:tc:SAML:2.0:metadata", "md", 0 );
$partner->setNamespace( "urn:oasis:names:tc:SAML:2.0:assertion",
"saml", 0 );
$partner->setNamespace( "http://www.w3.org/2000/09/xmldsig#", "ds", 0 );
# Check IDP or SP
if ( my $idp = $partner->findnodes('./md:IDPSSODescriptor') ) {
$idpCounter->{found}++;
$mdIdpList->{$entityID} = 1;
# Check if SAML 2.0 is supported
if (
$partner->findnodes(
'./md:IDPSSODescriptor/md:SingleSignOnService[contains(@Binding,"urn:oasis:names:tc:SAML:2.0:")]'
)
)
{
)
)
{
# Read metadata
my $partner_metadata = $partner->toString;
$partner_metadata =~ s/\n//g;
# Read metadata
my $partner_metadata = $partner->toString;
$partner_metadata =~ s/\n//g;
# Check if entityID already in configuration
if ( defined $idpList->{$entityID} ) {
# Check if entityID already in configuration
if ( defined $idpList->{$entityID} ) {
# Update metadata
$lastConf->{samlIDPMetaDataXML}->{ $idpList->{$entityID} }
->{samlIDPMetaDataXML} = $partner_metadata;
# Update metadata
$lastConf->{samlIDPMetaDataXML}->{ $idpList->{$entityID} }
->{samlIDPMetaDataXML} = $partner_metadata;
# Update attributes
$lastConf->{samlIDPMetaDataExportedAttributes}
->{ $idpList->{$entityID} } = $exportedAttributes;
# Update attributes
$lastConf->{samlIDPMetaDataExportedAttributes}
->{ $idpList->{$entityID} } = $exportedAttributes;
# Update options
$lastConf->{samlIDPMetaDataOptions}
->{ $idpList->{$entityID} } = $idpOptions;
# Update options
$lastConf->{samlIDPMetaDataOptions}->{ $idpList->{$entityID} }
= $idpOptions;
if ( $opts{verbose} ) {
print "Update IDP $entityID in configuration\n";
}
$idpCounter->{updated}++;
if ( $opts{verbose} ) {
print "Update IDP $entityID in configuration\n";
}
else {
# Create a new partner
my $entityIDKey = $entityID;
$entityIDKey =~ s/^https?:\/\///;
$entityIDKey =~ s/[^a-zA-Z0-9]/-/g;
my $confKey = $idpConfKeyPrefix . $entityIDKey;
$idpCounter->{updated}++;
}
else {
# Create a new partner
my $entityIDKey = $entityID;
$entityIDKey =~ s/^https?:\/\///;
$entityIDKey =~ s/[^a-zA-Z0-9]/-/g;
my $confKey = $idpConfKeyPrefix . $entityIDKey;
# Metadata
$lastConf->{samlIDPMetaDataXML}->{$confKey}
->{samlIDPMetaDataXML} = $partner_metadata;
# Metadata
$lastConf->{samlIDPMetaDataXML}->{$confKey}
->{samlIDPMetaDataXML} = $partner_metadata;
# Attributes
$lastConf->{samlIDPMetaDataExportedAttributes}->{$confKey}
= $exportedAttributes;
# Attributes
$lastConf->{samlIDPMetaDataExportedAttributes}->{$confKey} =
$exportedAttributes;
# Options
$lastConf->{samlIDPMetaDataOptions}->{$confKey} =
$idpOptions;
# Options
$lastConf->{samlIDPMetaDataOptions}->{$confKey} = $idpOptions;
if ( $opts{verbose} ) {
print
if ( $opts{verbose} ) {
print
"Declare new IDP $entityID (configuration key $confKey)\n";
}
$idpCounter->{created}++;
}
$idpCounter->{created}++;
}
else {
print STDERR
}
else {
print STDERR
"[WARN] IDP $entityID is not compatible with SAML 2.0, it will not be imported.\n"
if $opts{warning};
$idpCounter->{rejected}++;
}
if $opts{warning};
$idpCounter->{rejected}++;
}
if ( my $sp = $partner->findnodes('./md:SPSSODescriptor') ) {
$spCounter->{found}++;
$mdSpList->{$entityID} = 1;
}
if ( my $sp = $partner->findnodes('./md:SPSSODescriptor') ) {
$spCounter->{found}++;
$mdSpList->{$entityID} = 1;
# Check if SAML 2.0 is supported
if (
$partner->findnodes(
'./md:SPSSODescriptor/md:AssertionConsumerService[contains(@Binding,"urn:oasis:names:tc:SAML:2.0:")]'
)
)
{
# Check if SAML 2.0 is supported
# Read requested attributes
my $requestedAttributes = {};
if (
$partner->findnodes(
'./md:SPSSODescriptor/md:AssertionConsumerService[contains(@Binding,"urn:oasis:names:tc:SAML:2.0:")]'
'./md:SPSSODescriptor/md:AttributeConsumingService/md:RequestedAttribute'
)
)
{
# Read requested attributes
my $requestedAttributes = {};
if (
foreach my $requestedAttribute (
$partner->findnodes(
'./md:SPSSODescriptor/md:AttributeConsumingService/md:RequestedAttribute'
)
)
{
foreach my $requestedAttribute (
$partner->findnodes(
'./md:SPSSODescriptor/md:AttributeConsumingService/md:RequestedAttribute'
)
)
{
my $name = $requestedAttribute->getAttribute("Name");
my $friendlyname =
$requestedAttribute->getAttribute("FriendlyName");
my $nameformat =
$requestedAttribute->getAttribute("NameFormat");
$requestedAttributes->{$friendlyname} =
"1;$name;$nameformat;$friendlyname";
if ( $opts{verbose} ) {
print
my $name = $requestedAttribute->getAttribute("Name");
my $friendlyname =
$requestedAttribute->getAttribute("FriendlyName");
my $nameformat =
$requestedAttribute->getAttribute("NameFormat");
$requestedAttributes->{$friendlyname} =
"1;$name;$nameformat;$friendlyname";
if ( $opts{verbose} ) {
print
"Attribute $friendlyname ($name) requested by SP $entityID\n";
}
}
}
else {
$requestedAttributes =
{ 'cn' => '1;cn', 'uid' => '1;uid', 'mail' => '1;mail' };
}
}
else {
$requestedAttributes =
{ 'cn' => '1;cn', 'uid' => '1;uid', 'mail' => '1;mail' };
}
# Remove AttributeConsumingService node
foreach (
$partner->findnodes(
'./md:SPSSODescriptor/md:AttributeConsumingService')
)
{
$_->unbindNode;
}
# Remove AttributeConsumingService node
foreach (
$partner->findnodes(
'./md:SPSSODescriptor/md:AttributeConsumingService')
)
{
$_->unbindNode;
}
# Read metadata
my $partner_metadata = $partner->toString;
$partner_metadata =~ s/\n//g;
# Read metadata
my $partner_metadata = $partner->toString;
$partner_metadata =~ s/\n//g;
# Check if entityID already in configuration
if ( defined $spList->{$entityID} ) {
# Check if entityID already in configuration
if ( defined $spList->{$entityID} ) {
# Update metadata
$lastConf->{samlSPMetaDataXML}->{ $spList->{$entityID} }
->{samlSPMetaDataXML} = $partner_metadata;
# Update metadata
$lastConf->{samlSPMetaDataXML}->{ $spList->{$entityID} }
->{samlSPMetaDataXML} = $partner_metadata;
# Update attributes
$lastConf->{samlSPMetaDataExportedAttributes}
->{ $spList->{$entityID} } = $requestedAttributes;
# Update attributes
$lastConf->{samlSPMetaDataExportedAttributes}
->{ $spList->{$entityID} } = $requestedAttributes;
# Update options
$lastConf->{samlSPMetaDataOptions}->{ $spList->{$entityID} }
= $spOptions;
# Update options
$lastConf->{samlSPMetaDataOptions}->{ $spList->{$entityID} } =
$spOptions;
if ( $opts{verbose} ) {
print "Update SP $entityID in configuration\n";
}
$spCounter->{updated}++;
if ( $opts{verbose} ) {
print "Update SP $entityID in configuration\n";
}
else {
# Create a new partner
my $entityIDKey = $entityID;
$entityIDKey =~ s/^https?:\/\///;
$entityIDKey =~ s/[^a-zA-Z0-9]/-/g;
my $confKey = $spConfKeyPrefix . $entityIDKey;
$spCounter->{updated}++;
}
else {
# Create a new partner
my $entityIDKey = $entityID;
$entityIDKey =~ s/^https?:\/\///;
$entityIDKey =~ s/[^a-zA-Z0-9]/-/g;
my $confKey = $spConfKeyPrefix . $entityIDKey;
# Metadata
$lastConf->{samlSPMetaDataXML}->{$confKey}
->{samlSPMetaDataXML} = $partner_metadata;
# Metadata
$lastConf->{samlSPMetaDataXML}->{$confKey}->{samlSPMetaDataXML}
= $partner_metadata;
# Attributes
$lastConf->{samlSPMetaDataExportedAttributes}->{$confKey} =
$requestedAttributes;
# Attributes
$lastConf->{samlSPMetaDataExportedAttributes}->{$confKey} =
$requestedAttributes;
# Options
$lastConf->{samlSPMetaDataOptions}->{$confKey} = $spOptions;
# Options
$lastConf->{samlSPMetaDataOptions}->{$confKey} = $spOptions;
if ( $opts{verbose} ) {
print
"Declare new SP $entityID (configuration key $confKey)\n";
}
$spCounter->{created}++;
if ( $opts{verbose} ) {
print
"Declare new SP $entityID (configuration key $confKey)\n";
}
}
else {
print STDERR
"[WARN] SP $entityID is not compatible with SAML 2.0, it will not be imported.\n"
if $opts{warning};
$spCounter->{rejected}++;
$spCounter->{created}++;
}
}
else {
print STDERR
"[WARN] SP $entityID is not compatible with SAML 2.0, it will not be imported.\n"
if $opts{warning};
$spCounter->{rejected}++;
}
}
# Remove partners
if ( $opts{remove} ) {
foreach ( keys %$idpList ) {
my $idpConfKey = $idpList->{$_};
unless ( defined $mdIdpList->{$_} ) {
delete $lastConf->{samlIDPMetaDataXML}->{$idpConfKey};
delete $lastConf->{samlIDPMetaDataExportedAttributes}
->{$idpConfKey};
delete $lastConf->{samlIDPMetaDataOptions}->{$idpConfKey};
$idpCounter->{removed}++;
if ( $opts{verbose} ) {
print "Remove IDP $idpConfKey\n";
}
}
# Remove partners
if ( $opts{remove} ) {
foreach ( keys %$idpList ) {
my $idpConfKey = $idpList->{$_};
unless ( defined $mdIdpList->{$_} ) {
delete $lastConf->{samlIDPMetaDataXML}->{$idpConfKey};
delete $lastConf->{samlIDPMetaDataExportedAttributes}
->{$idpConfKey};
delete $lastConf->{samlIDPMetaDataOptions}->{$idpConfKey};
$idpCounter->{removed}++;
if ( $opts{verbose} ) {
print "Remove IDP $idpConfKey\n";
}
}
}
foreach ( keys %$spList ) {
my $spConfKey = $spList->{$_};
unless ( defined $mdSpList->{$_} ) {
delete $lastConf->{samlSPMetaDataXML}->{$spConfKey};
delete $lastConf->{samlSPMetaDataExportedAttributes}
->{$spConfKey};
delete $lastConf->{samlSPMetaDataOptions}->{$spConfKey};
$spCounter->{removed}++;
if ( $opts{verbose} ) {
print "Remove SP $spConfKey\n";
}
foreach ( keys %$spList ) {
my $spConfKey = $spList->{$_};
unless ( defined $mdSpList->{$_} ) {
delete $lastConf->{samlSPMetaDataXML}->{$spConfKey};
delete $lastConf->{samlSPMetaDataExportedAttributes}->{$spConfKey};
delete $lastConf->{samlSPMetaDataOptions}->{$spConfKey};
$spCounter->{removed}++;
if ( $opts{verbose} ) {
print "Remove SP $spConfKey\n";
}
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment