-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssp-mdrefresh-xml.sh
executable file
·118 lines (105 loc) · 3.73 KB
/
ssp-mdrefresh-xml.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/bin/bash
# Source: https://github.com/bajnokk/ssp-metadata
# Note: the following configuration variables can be overridden by their uppercase
# equivalent in the environment, for example by calling
# export METADATADIR=/some/other/dir; export METADATA_SETS=$(echo href; echo edugain); $0
### SimpleSAMLphp configuration
#
# Base directory of the parsed metadata files
# The location of the individual files will be at
# $metadatadir/metarefresh-$metadata
metadatadir=/var/simplesamlphp/metadata
#
# Metarefresh script
metarefresh=/var/simplesamlphp/modules/metarefresh/bin/metarefresh.php
### Federation configuration
#
# Sets to consume, for example:
# metadata_sets=(pte href edugain)
metadata_sets=(href)
#
# Federation signing certificate fingerprint
fingerprint=FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66
#
# Metadata distribution point, __MDSET__ will be replaced with the actual metadata set name
metadata_url=https://metadata.eduid.hu/current/__MDSET__.xml
### End of configuration section
#-------------------------------
# Get variables from the environment if they are set
[ -z "$METADATADIR" ] && METADATADIR=$metadatadir
[ -z "$METAREFRESH" ] && METAREFRESH=$metarefresh
[ -z "$FINGERPRINT" ] && FINGERPRINT=$fingerprint
[ -z "$METADATA_URL" ] && METADATA_URL=$metadata_url
[ ${#METADATA_SETS[@]} -eq 0 ] && METADATA_SETS="${metadata_sets[@]}"
set -e
SCRIPTNAME=$(basename $0)
LOCK_DIR="/var/lock/${SCRIPTNAME}"
PIDFILE="${LOCK_DIR}/PID"
function lock {
if mkdir $LOCK_DIR 2>/dev/null; then
echo $$ > $PIDFILE
elif kill -0 $(cat $PIDFILE) 2>/dev/null; then
echo "Another instance of $SCRIPTNAME is running with PID $(cat $PIDFILE), aborting" 1>&2
exit 4
else
echo "Removing stale lock file, PID $(cat $PIDFILE) seems to be dead" 1>&2
echo $$ > $PIDFILE
fi
if [[ "$$" != "$(cat $PIDFILE)" ]]; then
echo "Locking failed" 1>&2
exit 4
fi
}
function unlock {
rm -r $LOCK_DIR
}
startregexp="/\* The following data should be added to .*/([^/]+\.php)"
endregexp="/\* End of data which should be added to.*/([^/]+\.php)"
lock
for metadata in ${METADATA_SETS[*]}; do
downloadfile=$(mktemp)
processdir="$METADATADIR/metarefresh-$metadata"
processfile=""
validation_status=unknown
url=${METADATA_URL/__MDSET__/$metadata}
if [ ! -d $processdir ]; then
echo "Error, expected output directory ($processdir) doesn't exist!" 1>&2
exit 2
fi
wget -nv -q $url -O $downloadfile
# For the actual command, see the end of the loop
while IFS= read -r line; do
# XXX: metarefresh terminates successfully even if the signature validation
# has failed, but in this case the output is empty.
if [[ $line =~ $startregexp ]]; then
processfile=$(mktemp --tmpdir=$processdir $metadata.XXXXX)
# If we can loop over metarefresh output, we can assume it has been validated
validation_status=validated
echo "<?php" >$processfile
elif [[ $line =~ $endregexp ]]; then
if [ -s $processfile ]; then
chmod 644 "$processfile" # Metadata is public, add read permissions to others
mv "$processfile" "$processdir/${BASH_REMATCH[1]}"
else
echo "Will not overwrite $processdir/${BASH_REMATCH[1]} with an empty file" 1>&2
fi
else
if [ -f $processfile ]; then
echo "$line" >> $processfile
else
if [[ $line =~ ^$ ]]; then
continue
else
echo "Error parsing metarefresh output, cautiously avoid writing into nowhere" 1>&2
exit 3
fi
fi
fi
done < <(nice php $METAREFRESH --stdout --validate-fingerprint=$FINGERPRINT $downloadfile)
if [[ "$validation_status" == "unknown" ]]; then
echo "Error validating metadata: $url, aborting." 1>&2
exit 5
fi
rm $downloadfile
done
unlock