Commit 4619e898 authored by Lukas Haemmerle's avatar Lukas Haemmerle

Added code for new metadata update script

parent fc55859a
...@@ -6,7 +6,7 @@ See LICENSE file for details. ...@@ -6,7 +6,7 @@ See LICENSE file for details.
SWITCHwayf Changes SWITCHwayf Changes
================== ==================
SWITCHwayf version: v1.21 SWITCHwayf version: v1.22
Bundled with: Bundled with:
* JQuery v3.2.1 * JQuery v3.2.1
...@@ -37,6 +37,10 @@ necessary for such releases. ...@@ -37,6 +37,10 @@ necessary for such releases.
SWITCHwayf Version History SWITCHwayf Version History
-------------------------- --------------------------
* Version 1.22 - Release date: XX. XXXXXX 2018
- Made readMetadata.php to a library
Code provided by Guillaume Rousse.
* Version 1.21 - Release date: 19. January 2018 * Version 1.21 - Release date: 19. January 2018
- Allow loading configuration from a path in a - Allow loading configuration from a path in a
web server environment variable to allow multi-tenant web server environment variable to allow multi-tenant
......
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
/* /*
****************************************************************************** ******************************************************************************
SWITCHwayf SWITCHwayf
Version: 1.21 Version: 1.22
Contact: aai@switch.ch Contact: aai@switch.ch
Web site: https://www.switch.ch/aai/support/tools/wayf/ Web site: https://www.switch.ch/aai/support/tools/wayf/
****************************************************************************** ******************************************************************************
...@@ -63,6 +63,7 @@ if ($IDPConfigFile == $backupIDPConfigFile){ ...@@ -63,6 +63,7 @@ if ($IDPConfigFile == $backupIDPConfigFile){
// Read metadata file if configuration option is set // Read metadata file if configuration option is set
if($useSAML2Metadata && function_exists('xml_parser_create')){ if($useSAML2Metadata && function_exists('xml_parser_create')){
require('readMetadata.php'); require('readMetadata.php');
updateMetadata();
} }
// Set default type // Set default type
......
<?php // Copyright (c) 2018, SWITCH <?php // Copyright (c) 2018, SWITCH
// This file is used to dynamically create the list of IdPs and SP to be function updateMetadata() {
// displayed for the WAYF/DS service based on the federation metadata. global $metadataLockFile, $metadataIDPFile, $metadataSPFile;
// Configuration parameters are specified in config.php. global $metadataFile, $defaultLanguage;
// global $SAML2MetaOverLocalConf, $includeLocalConfEntries;
// The list of Identity Providers can also be updated by running the script global $verbose;
// readMetadata.php periodically as web server user, e.g. with a cron entry like:
// 5 * * * * /usr/bin/php readMetadata.php > /dev/null
// Set dummy server name if run in CLI
if (!isset($_SERVER['SERVER_NAME'])){
$_SERVER['SERVER_NAME'] = 'localhost';
}
require_once('functions.php');
if (isset($_SERVER{'SWITCHWAYF_CONFIG'})){
require_once($_SERVER{'SWITCHWAYF_CONFIG'});
} else {
require_once('config.php');
}
// Make sure this script is not accessed directly
if(isRunViaCLI()){
// Run in cli mode.
// Set default config options
initConfigOptions();
// Load Identity Providers
require($IDPConfigFile);
// Check that $IDProviders exists
if (!isset($IDProviders) or !is_array($IDProviders)){
$IDProviders = array();
}
if (
!file_exists($metadataFile)
|| trim(@file_get_contents($metadataFile)) == '') {
exit ("Exiting: File ".$metadataFile." is empty or does not exist\n");
}
// Get an exclusive lock to generate our parsed IdP and SP files.
if (($lockFp = fopen($metadataLockFile, 'a+')) === false) {
$errorMsg = 'Could not open lock file '.$metadataLockFile;
die($errorMsg);
}
if (flock($lockFp, LOCK_EX) === false) {
$errorMsg = 'Could not lock file '.$metadataLockFile;
die($errorMsg);
}
echo 'Parsing metadata file '.$metadataFile."\n";
list($metadataIDProviders, $metadataSProviders) = parseMetadata($metadataFile, $defaultLanguage);
// If $metadataIDProviders is not FALSE, dump results in $metadataIDPFile.
if(is_array($metadataIDProviders)){
echo 'Dumping parsed Identity Providers to file '.$metadataIDPFile."\n";
dumpFile($metadataIDPFile, $metadataIDProviders, 'metadataIDProviders');
}
// If $metadataSProviders is not FALSE, dump results in $metadataSPFile.
if(is_array($metadataSProviders)){
echo 'Dumping parsed Service Providers to file '.$metadataSPFile."\n";
dumpFile($metadataSPFile, $metadataSProviders, 'metadataSProviders');
}
// Release the lock, and close.
flock($lockFp, LOCK_UN);
fclose($lockFp);
// If $metadataIDProviders is not FALSE, update $IDProviders and print the Identity Providers lists.
if(is_array($metadataIDProviders)){
echo 'Merging parsed Identity Providers with data from file '.$IDPConfigFile."\n";
$IDProviders = mergeInfo($IDProviders, $metadataIDProviders, $SAML2MetaOverLocalConf, $includeLocalConfEntries);
echo "Printing parsed Identity Providers:\n";
print_r($metadataIDProviders);
echo "Printing effective Identity Providers:\n";
print_r($IDProviders);
}
// If $metadataSProviders is not FALSE, update $SProviders and print the list.
if(is_array($metadataSProviders)){
// For now copy the array by reference
$SProviders = &$metadataSProviders;
echo "Printing parsed Service Providers:\n";
print_r($metadataSProviders);
}
} elseif (isRunViaInclude()) {
// Run as included file
// Open the metadata lock file. // Open the metadata lock file.
if (($lockFp = fopen($metadataLockFile, 'a+')) === false) { if (($lockFp = fopen($metadataLockFile, 'a+')) === false) {
...@@ -154,7 +60,7 @@ if(isRunViaCLI()){ ...@@ -154,7 +60,7 @@ if(isRunViaCLI()){
// Read SP and IDP files generated with metadata // Read SP and IDP files generated with metadata
require($metadataIDPFile); require($metadataIDPFile);
require($metadataSPFile); require($metadataSPFile);
// Release the lock. // Release the lock.
if ($lockFp !== false) { if ($lockFp !== false) {
flock($lockFp, LOCK_UN); flock($lockFp, LOCK_UN);
...@@ -172,13 +78,8 @@ if(isRunViaCLI()){ ...@@ -172,13 +78,8 @@ if(isRunViaCLI()){
fclose($lockFp); fclose($lockFp);
} }
} else {
exit('No direct script access allowed');
} }
closelog();
/*****************************************************************************/
// Function parseMetadata, parses metadata file and returns Array($IdPs, SPs) or // Function parseMetadata, parses metadata file and returns Array($IdPs, SPs) or
// Array(false, false) if error occurs while parsing metadata file // Array(false, false) if error occurs while parsing metadata file
function parseMetadata($metadataFile, $defaultLanguage){ function parseMetadata($metadataFile, $defaultLanguage){
...@@ -308,18 +209,15 @@ function parseMetadata($metadataFile, $defaultLanguage){ ...@@ -308,18 +209,15 @@ function parseMetadata($metadataFile, $defaultLanguage){
$infoMsg .= " ".count($metadataSProviders)." SPs, "; $infoMsg .= " ".count($metadataSProviders)." SPs, ";
$infoMsg .= ($hiddenIdPs > 0) ? $hiddenIdPs." IdPs are hidden)" : "no hidden IdPs)" ; $infoMsg .= ($hiddenIdPs > 0) ? $hiddenIdPs." IdPs are hidden)" : "no hidden IdPs)" ;
if (isRunViaCLI()){ if (isRunViaCLI() && isset($verbose) && $verbose){
echo $infoMsg."\n"; echo $infoMsg."\n";
} else { } else {
logInfo($infoMsg); logInfo($infoMsg);
} }
return Array($metadataIDProviders, $metadataSProviders); return Array($metadataIDProviders, $metadataSProviders);
} }
/******************************************************************************/
// Load SAML metadata file, parse it and update // Load SAML metadata file, parse it and update
// IDProvider.metadata.php and SProvider.metadata.php files // IDProvider.metadata.php and SProvider.metadata.php files
function regenerateMetadata($metadataFile, $defaultLanguage) { function regenerateMetadata($metadataFile, $defaultLanguage) {
...@@ -351,7 +249,6 @@ function regenerateMetadata($metadataFile, $defaultLanguage) { ...@@ -351,7 +249,6 @@ function regenerateMetadata($metadataFile, $defaultLanguage) {
} }
/******************************************************************************/
// Processes an IDPRoleDescriptor XML node and returns an IDP entry or false if // Processes an IDPRoleDescriptor XML node and returns an IDP entry or false if
// something went wrong // something went wrong
function processIDPRoleDescriptor($IDPRoleDescriptorNode){ function processIDPRoleDescriptor($IDPRoleDescriptorNode){
...@@ -473,7 +370,6 @@ function processIDPRoleDescriptor($IDPRoleDescriptorNode){ ...@@ -473,7 +370,6 @@ function processIDPRoleDescriptor($IDPRoleDescriptorNode){
return $IDP; return $IDP;
} }
/******************************************************************************/
// Processes an SPRoleDescriptor XML node and returns an SP entry or false if // Processes an SPRoleDescriptor XML node and returns an SP entry or false if
// something went wrong // something went wrong
function processSPRoleDescriptor($SPRoleDescriptorNode){ function processSPRoleDescriptor($SPRoleDescriptorNode){
...@@ -539,7 +435,6 @@ function processSPRoleDescriptor($SPRoleDescriptorNode){ ...@@ -539,7 +435,6 @@ function processSPRoleDescriptor($SPRoleDescriptorNode){
return $SP; return $SP;
} }
/******************************************************************************/
// Dump variable to a file // Dump variable to a file
function dumpFile($dumpFile, $providers, $variableName){ function dumpFile($dumpFile, $providers, $variableName){
...@@ -564,8 +459,6 @@ function dumpFile($dumpFile, $providers, $variableName){ ...@@ -564,8 +459,6 @@ function dumpFile($dumpFile, $providers, $variableName){
} }
} }
/******************************************************************************/
// Function mergeInfo is used to create the effective $IDProviders array. // Function mergeInfo is used to create the effective $IDProviders array.
// For each IDP found in the metadata, merge the values from IDProvider.conf.php. // For each IDP found in the metadata, merge the values from IDProvider.conf.php.
// If an IDP is found in IDProvider.conf as well as in metadata, use metadata // If an IDP is found in IDProvider.conf as well as in metadata, use metadata
...@@ -613,7 +506,6 @@ function mergeInfo($IDProviders, $metadataIDProviders, $SAML2MetaOverLocalConf, ...@@ -613,7 +506,6 @@ function mergeInfo($IDProviders, $metadataIDProviders, $SAML2MetaOverLocalConf,
return $mergedArray; return $mergedArray;
} }
/******************************************************************************/
// Get MD Display Names from RoleDescriptor // Get MD Display Names from RoleDescriptor
function getMDUIDisplayNames($RoleDescriptorNode){ function getMDUIDisplayNames($RoleDescriptorNode){
...@@ -628,7 +520,6 @@ function getMDUIDisplayNames($RoleDescriptorNode){ ...@@ -628,7 +520,6 @@ function getMDUIDisplayNames($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Get MD Keywords from RoleDescriptor // Get MD Keywords from RoleDescriptor
function getMDUIKeywords($RoleDescriptorNode){ function getMDUIKeywords($RoleDescriptorNode){
...@@ -643,7 +534,6 @@ function getMDUIKeywords($RoleDescriptorNode){ ...@@ -643,7 +534,6 @@ function getMDUIKeywords($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Get MD Logos from RoleDescriptor. Prefer the favicon logos // Get MD Logos from RoleDescriptor. Prefer the favicon logos
function getMDUILogos($RoleDescriptorNode){ function getMDUILogos($RoleDescriptorNode){
...@@ -661,8 +551,6 @@ function getMDUILogos($RoleDescriptorNode){ ...@@ -661,8 +551,6 @@ function getMDUILogos($RoleDescriptorNode){
return $Logos; return $Logos;
} }
/******************************************************************************/
// Get MD Attribute Value(kind) from RoleDescriptor // Get MD Attribute Value(kind) from RoleDescriptor
function getSAMLAttributeValues($RoleDescriptorNode){ function getSAMLAttributeValues($RoleDescriptorNode){
...@@ -676,8 +564,6 @@ function getSAMLAttributeValues($RoleDescriptorNode){ ...@@ -676,8 +564,6 @@ function getSAMLAttributeValues($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Get MD IP Address Hints from RoleDescriptor // Get MD IP Address Hints from RoleDescriptor
function getMDUIIPHints($RoleDescriptorNode){ function getMDUIIPHints($RoleDescriptorNode){
...@@ -695,7 +581,6 @@ function getMDUIIPHints($RoleDescriptorNode){ ...@@ -695,7 +581,6 @@ function getMDUIIPHints($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Get MD Domain Hints from RoleDescriptor // Get MD Domain Hints from RoleDescriptor
function getMDUIDomainHints($RoleDescriptorNode){ function getMDUIDomainHints($RoleDescriptorNode){
...@@ -709,7 +594,6 @@ function getMDUIDomainHints($RoleDescriptorNode){ ...@@ -709,7 +594,6 @@ function getMDUIDomainHints($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Get MD Geolocation Hints from RoleDescriptor // Get MD Geolocation Hints from RoleDescriptor
function getMDUIGeolocationHints($RoleDescriptorNode){ function getMDUIGeolocationHints($RoleDescriptorNode){
...@@ -725,7 +609,6 @@ function getMDUIGeolocationHints($RoleDescriptorNode){ ...@@ -725,7 +609,6 @@ function getMDUIGeolocationHints($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Get Organization Names from RoleDescriptor // Get Organization Names from RoleDescriptor
function getOrganizationNames($RoleDescriptorNode){ function getOrganizationNames($RoleDescriptorNode){
...@@ -743,7 +626,6 @@ function getOrganizationNames($RoleDescriptorNode){ ...@@ -743,7 +626,6 @@ function getOrganizationNames($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Get Attribute Consuming Service // Get Attribute Consuming Service
function getAttributeConsumingServiceNames($RoleDescriptorNode){ function getAttributeConsumingServiceNames($RoleDescriptorNode){
...@@ -758,7 +640,6 @@ function getAttributeConsumingServiceNames($RoleDescriptorNode){ ...@@ -758,7 +640,6 @@ function getAttributeConsumingServiceNames($RoleDescriptorNode){
return $Entity; return $Entity;
} }
/******************************************************************************/
// Returns true if IdP has Hide-From-Discovery entity category attribute // Returns true if IdP has Hide-From-Discovery entity category attribute
function hasHideFromDiscoveryEntityCategory($IDPRoleDescriptorNode){ function hasHideFromDiscoveryEntityCategory($IDPRoleDescriptorNode){
// Get SAML Attributes for this entity // Get SAML Attributes for this entity
......
<?php // Copyright (c) 2018, SWITCH
$MAN=<<<PAGE
Name: SWITCHwayf
Author: Lukas Haemmerle, SWITCH
Description: This file is used to dynamically create the list of
IdPs and SP to be displayed for the WAYF/DS service
based on the federation metadata.
Configuration parameters are specified in config.php.
The list of Identity Providers can also be updated
by running the script update-metadata.php
periodically as web server user, e.g. with a cron
entry like:
5 * * * * /usr/bin/php update-metadata.php > /dev/null
Usage:
php update-metadata.php -help|-h
php update-metadata.php --metadata-file <file> \
--metadata-idp-file <file> --metadata-sp-file <file> \
[--verbose | -v]
Example usage:
php update-metadata.php \
--metadata-file /var/cache/shibboleth/metadata.switchaai.xml \
--metadata-idp-file /tmp/IDProvider.metadata.php \
--metadata-sp-file /tmp/SProvider.metadata.php
Argument Description
-------------------
--metadata-file <file> SAML2 metadata file
--metadata-idp-file <file> File containing Service Providers
--metadata-sp-file <file> File containing Identity Providers
--language <locale> Language locale, e.g. 'en', 'jp', ...
--verbose | -v Verbose mode
--help | -h Print this man page
PAGE;
require_once('functions.php');
require_once('readMetadata.php');
// Script options
$longopts = array(
"metadata-file:",
"metadata-idp-file:",
"metadata-sp-file:",
"language:",
"verbose",
"help",
);
$options = getopt('hv', $longopts);
if (isset($options['help']) || isset($options['h'])) {
exit($MAN);
}
if (!isset($options['metadata-file'])) {
exit("Exiting: mandatory --metadata-file parameter missing\n");
} else {
$metadataFile = $options['metadata-file'];
}
if (!isset($options['metadata-sp-file'])) {
exit("Exiting: mandatory --metadata-sp-file parameter missing\n");
} else {
$metadataSPFile = $options['metadata-sp-file'];
$metadataTempSPFile = $metadataSPFile.'.swp';
}
if (!isset($options['metadata-idp-file'])) {
exit("Exiting: mandatory --metadata-idp-file parameter missing\n");
} else {
$metadataIDPFile = $options['metadata-idp-file'];
$metadataTempIDPFile = $metadataIDPFile.'.swp';
}
// Set other options
$language = isset($options['language']) ? $options['language'] : 'en';
$verbose = isset($options['verbose']) || isset($options['v']) ? true : false;
// Input validation
if (
!file_exists($metadataFile)
|| filesize($metadataFile) == 0
) {
exit("Exiting: File $metadataFile is empty or does not exist\n");
}
if (!is_readable($metadataFile)){
exit("Exiting: File $metadataFile is not readable\n");
}
if ($verbose) {
echo "Parsing metadata file $metadataFile\n";
}
// Parse metadata
list($metadataIDProviders, $metadataSProviders) = parseMetadata($metadataFile, $language);
// If $metadataIDProviders is not FALSE, dump results in $metadataIDPFile.
if (is_array($metadataIDProviders)){
if ($verbose) {
echo "Dumping parsed Identity Providers to file $metadataIDPFile\n";
}
dumpFile($metadataTempIDPFile, $metadataIDProviders, 'metadataIDProviders');
if(!rename($metadataTempIDPFile, $metadataIDPFile)){
exit("Exiting: Could not rename temporary file $metadataTempIDPFile to $metadataIDPFile");
}
}
// If $metadataSProviders is not FALSE, dump results in $metadataSPFile.
if (is_array($metadataSProviders)){
if ($verbose) {
echo "Dumping parsed Service Providers to file $metadataSPFile\n";
}
dumpFile($metadataTempSPFile, $metadataSProviders, 'metadataSProviders');
if(!rename($metadataTempSPFile, $metadataSPFile)){
exit("Exiting: Could not rename temporary file $metadataTempSPFile to $metadataSPFile");
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment