Commit 4619e898 authored by Lukas Haemmerle's avatar Lukas Haemmerle

Added code for new metadata update script

parent fc55859a
......@@ -6,7 +6,7 @@ See LICENSE file for details.
SWITCHwayf Changes
==================
SWITCHwayf version: v1.21
SWITCHwayf version: v1.22
Bundled with:
* JQuery v3.2.1
......@@ -37,6 +37,10 @@ necessary for such releases.
SWITCHwayf Version History
--------------------------
* Version 1.22 - Release date: XX. XXXXXX 2018
- Made readMetadata.php to a library
Code provided by Guillaume Rousse.
* Version 1.21 - Release date: 19. January 2018
- Allow loading configuration from a path in a
web server environment variable to allow multi-tenant
......
......@@ -3,7 +3,7 @@
/*
******************************************************************************
SWITCHwayf
Version: 1.21
Version: 1.22
Contact: aai@switch.ch
Web site: https://www.switch.ch/aai/support/tools/wayf/
******************************************************************************
......@@ -63,6 +63,7 @@ if ($IDPConfigFile == $backupIDPConfigFile){
// Read metadata file if configuration option is set
if($useSAML2Metadata && function_exists('xml_parser_create')){
require('readMetadata.php');
updateMetadata();
}
// Set default type
......
<?php // Copyright (c) 2018, SWITCH
// This file is used to dynamically create the list of IdPs and SP to be
// displayed for the WAYF/DS service based on the federation metadata.
// Configuration parameters are specified in config.php.
//
// The list of Identity Providers can also be updated by running the script
// readMetadata.php periodically as web server user, e.g. with a cron entry like:
// 5 * * * * /usr/bin/php readMetadata.php > /dev/null
// Set dummy server name if run in CLI
if (!isset($_SERVER['SERVER_NAME'])){
$_SERVER['SERVER_NAME'] = 'localhost';
}
require_once('functions.php');
if (isset($_SERVER{'SWITCHWAYF_CONFIG'})){
require_once($_SERVER{'SWITCHWAYF_CONFIG'});
} else {
require_once('config.php');
}
// Make sure this script is not accessed directly
if(isRunViaCLI()){
// Run in cli mode.
// Set default config options
initConfigOptions();
// Load Identity Providers
require($IDPConfigFile);
// Check that $IDProviders exists
if (!isset($IDProviders) or !is_array($IDProviders)){
$IDProviders = array();
}
if (
!file_exists($metadataFile)
|| trim(@file_get_contents($metadataFile)) == '') {
exit ("Exiting: File ".$metadataFile." is empty or does not exist\n");
}
// Get an exclusive lock to generate our parsed IdP and SP files.
if (($lockFp = fopen($metadataLockFile, 'a+')) === false) {
$errorMsg = 'Could not open lock file '.$metadataLockFile;
die($errorMsg);
}
if (flock($lockFp, LOCK_EX) === false) {
$errorMsg = 'Could not lock file '.$metadataLockFile;
die($errorMsg);
}
echo 'Parsing metadata file '.$metadataFile."\n";
list($metadataIDProviders, $metadataSProviders) = parseMetadata($metadataFile, $defaultLanguage);
// If $metadataIDProviders is not FALSE, dump results in $metadataIDPFile.
if(is_array($metadataIDProviders)){
echo 'Dumping parsed Identity Providers to file '.$metadataIDPFile."\n";
dumpFile($metadataIDPFile, $metadataIDProviders, 'metadataIDProviders');
}
// If $metadataSProviders is not FALSE, dump results in $metadataSPFile.
if(is_array($metadataSProviders)){
echo 'Dumping parsed Service Providers to file '.$metadataSPFile."\n";
dumpFile($metadataSPFile, $metadataSProviders, 'metadataSProviders');
}
// Release the lock, and close.
flock($lockFp, LOCK_UN);
fclose($lockFp);
// If $metadataIDProviders is not FALSE, update $IDProviders and print the Identity Providers lists.
if(is_array($metadataIDProviders)){
echo 'Merging parsed Identity Providers with data from file '.$IDPConfigFile."\n";
$IDProviders = mergeInfo($IDProviders, $metadataIDProviders, $SAML2MetaOverLocalConf, $includeLocalConfEntries);
echo "Printing parsed Identity Providers:\n";
print_r($metadataIDProviders);
echo "Printing effective Identity Providers:\n";
print_r($IDProviders);
}
// If $metadataSProviders is not FALSE, update $SProviders and print the list.
if(is_array($metadataSProviders)){
// For now copy the array by reference
$SProviders = &$metadataSProviders;
echo "Printing parsed Service Providers:\n";
print_r($metadataSProviders);
}
} elseif (isRunViaInclude()) {
// Run as included file
function updateMetadata() {
global $metadataLockFile, $metadataIDPFile, $metadataSPFile;
global $metadataFile, $defaultLanguage;
global $SAML2MetaOverLocalConf, $includeLocalConfEntries;
global $verbose;
// Open the metadata lock file.
if (($lockFp = fopen($metadataLockFile, 'a+')) === false) {
......@@ -154,7 +60,7 @@ if(isRunViaCLI()){
// Read SP and IDP files generated with metadata
require($metadataIDPFile);
require($metadataSPFile);
// Release the lock.
if ($lockFp !== false) {
flock($lockFp, LOCK_UN);
......@@ -172,13 +78,8 @@ if(isRunViaCLI()){
fclose($lockFp);
}
} else {
exit('No direct script access allowed');
}
closelog();
/*****************************************************************************/
// Function parseMetadata, parses metadata file and returns Array($IdPs, SPs) or
// Array(false, false) if error occurs while parsing metadata file
function parseMetadata($metadataFile, $defaultLanguage){
......@@ -308,18 +209,15 @@ function parseMetadata($metadataFile, $defaultLanguage){
$infoMsg .= " ".count($metadataSProviders)." SPs, ";
$infoMsg .= ($hiddenIdPs > 0) ? $hiddenIdPs." IdPs are hidden)" : "no hidden IdPs)" ;
if (isRunViaCLI()){
if (isRunViaCLI() && isset($verbose) && $verbose){
echo $infoMsg."\n";
} else {
logInfo($infoMsg);
}
return Array($metadataIDProviders, $metadataSProviders);
}
/******************************************************************************/
// Load SAML metadata file, parse it and update
// IDProvider.metadata.php and SProvider.metadata.php files
function regenerateMetadata($metadataFile, $defaultLanguage) {
......@@ -351,7 +249,6 @@ function regenerateMetadata($metadataFile, $defaultLanguage) {
}
/******************************************************************************/
// Processes an IDPRoleDescriptor XML node and returns an IDP entry or false if
// something went wrong
function processIDPRoleDescriptor($IDPRoleDescriptorNode){
......@@ -473,7 +370,6 @@ function processIDPRoleDescriptor($IDPRoleDescriptorNode){
return $IDP;
}
/******************************************************************************/
// Processes an SPRoleDescriptor XML node and returns an SP entry or false if
// something went wrong
function processSPRoleDescriptor($SPRoleDescriptorNode){
......@@ -539,7 +435,6 @@ function processSPRoleDescriptor($SPRoleDescriptorNode){
return $SP;
}
/******************************************************************************/
// Dump variable to a file
function dumpFile($dumpFile, $providers, $variableName){
......@@ -564,8 +459,6 @@ function dumpFile($dumpFile, $providers, $variableName){
}
}
/******************************************************************************/
// Function mergeInfo is used to create the effective $IDProviders array.
// For each IDP found in the metadata, merge the values from IDProvider.conf.php.
// If an IDP is found in IDProvider.conf as well as in metadata, use metadata
......@@ -613,7 +506,6 @@ function mergeInfo($IDProviders, $metadataIDProviders, $SAML2MetaOverLocalConf,
return $mergedArray;
}
/******************************************************************************/
// Get MD Display Names from RoleDescriptor
function getMDUIDisplayNames($RoleDescriptorNode){
......@@ -628,7 +520,6 @@ function getMDUIDisplayNames($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Get MD Keywords from RoleDescriptor
function getMDUIKeywords($RoleDescriptorNode){
......@@ -643,7 +534,6 @@ function getMDUIKeywords($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Get MD Logos from RoleDescriptor. Prefer the favicon logos
function getMDUILogos($RoleDescriptorNode){
......@@ -661,8 +551,6 @@ function getMDUILogos($RoleDescriptorNode){
return $Logos;
}
/******************************************************************************/
// Get MD Attribute Value(kind) from RoleDescriptor
function getSAMLAttributeValues($RoleDescriptorNode){
......@@ -676,8 +564,6 @@ function getSAMLAttributeValues($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Get MD IP Address Hints from RoleDescriptor
function getMDUIIPHints($RoleDescriptorNode){
......@@ -695,7 +581,6 @@ function getMDUIIPHints($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Get MD Domain Hints from RoleDescriptor
function getMDUIDomainHints($RoleDescriptorNode){
......@@ -709,7 +594,6 @@ function getMDUIDomainHints($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Get MD Geolocation Hints from RoleDescriptor
function getMDUIGeolocationHints($RoleDescriptorNode){
......@@ -725,7 +609,6 @@ function getMDUIGeolocationHints($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Get Organization Names from RoleDescriptor
function getOrganizationNames($RoleDescriptorNode){
......@@ -743,7 +626,6 @@ function getOrganizationNames($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Get Attribute Consuming Service
function getAttributeConsumingServiceNames($RoleDescriptorNode){
......@@ -758,7 +640,6 @@ function getAttributeConsumingServiceNames($RoleDescriptorNode){
return $Entity;
}
/******************************************************************************/
// Returns true if IdP has Hide-From-Discovery entity category attribute
function hasHideFromDiscoveryEntityCategory($IDPRoleDescriptorNode){
// Get SAML Attributes for this entity
......
<?php // Copyright (c) 2018, SWITCH
$MAN=<<<PAGE
Name: SWITCHwayf
Author: Lukas Haemmerle, SWITCH
Description: This file is used to dynamically create the list of
IdPs and SP to be displayed for the WAYF/DS service
based on the federation metadata.
Configuration parameters are specified in config.php.
The list of Identity Providers can also be updated
by running the script update-metadata.php
periodically as web server user, e.g. with a cron
entry like:
5 * * * * /usr/bin/php update-metadata.php > /dev/null
Usage:
php update-metadata.php -help|-h
php update-metadata.php --metadata-file <file> \
--metadata-idp-file <file> --metadata-sp-file <file> \
[--verbose | -v]
Example usage:
php update-metadata.php \
--metadata-file /var/cache/shibboleth/metadata.switchaai.xml \
--metadata-idp-file /tmp/IDProvider.metadata.php \
--metadata-sp-file /tmp/SProvider.metadata.php
Argument Description
-------------------
--metadata-file <file> SAML2 metadata file
--metadata-idp-file <file> File containing Service Providers
--metadata-sp-file <file> File containing Identity Providers
--language <locale> Language locale, e.g. 'en', 'jp', ...
--verbose | -v Verbose mode
--help | -h Print this man page
PAGE;
require_once('functions.php');
require_once('readMetadata.php');
// Script options
$longopts = array(
"metadata-file:",
"metadata-idp-file:",
"metadata-sp-file:",
"language:",
"verbose",
"help",
);
$options = getopt('hv', $longopts);
if (isset($options['help']) || isset($options['h'])) {
exit($MAN);
}
if (!isset($options['metadata-file'])) {
exit("Exiting: mandatory --metadata-file parameter missing\n");
} else {
$metadataFile = $options['metadata-file'];
}
if (!isset($options['metadata-sp-file'])) {
exit("Exiting: mandatory --metadata-sp-file parameter missing\n");
} else {
$metadataSPFile = $options['metadata-sp-file'];
$metadataTempSPFile = $metadataSPFile.'.swp';
}
if (!isset($options['metadata-idp-file'])) {
exit("Exiting: mandatory --metadata-idp-file parameter missing\n");
} else {
$metadataIDPFile = $options['metadata-idp-file'];
$metadataTempIDPFile = $metadataIDPFile.'.swp';
}
// Set other options
$language = isset($options['language']) ? $options['language'] : 'en';
$verbose = isset($options['verbose']) || isset($options['v']) ? true : false;
// Input validation
if (
!file_exists($metadataFile)
|| filesize($metadataFile) == 0
) {
exit("Exiting: File $metadataFile is empty or does not exist\n");
}
if (!is_readable($metadataFile)){
exit("Exiting: File $metadataFile is not readable\n");
}
if ($verbose) {
echo "Parsing metadata file $metadataFile\n";
}
// Parse metadata
list($metadataIDProviders, $metadataSProviders) = parseMetadata($metadataFile, $language);
// If $metadataIDProviders is not FALSE, dump results in $metadataIDPFile.
if (is_array($metadataIDProviders)){
if ($verbose) {
echo "Dumping parsed Identity Providers to file $metadataIDPFile\n";
}
dumpFile($metadataTempIDPFile, $metadataIDProviders, 'metadataIDProviders');
if(!rename($metadataTempIDPFile, $metadataIDPFile)){
exit("Exiting: Could not rename temporary file $metadataTempIDPFile to $metadataIDPFile");
}
}
// If $metadataSProviders is not FALSE, dump results in $metadataSPFile.
if (is_array($metadataSProviders)){
if ($verbose) {
echo "Dumping parsed Service Providers to file $metadataSPFile\n";
}
dumpFile($metadataTempSPFile, $metadataSProviders, 'metadataSProviders');
if(!rename($metadataTempSPFile, $metadataSPFile)){
exit("Exiting: Could not rename temporary file $metadataTempSPFile to $metadataSPFile");
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment