Commit 54137d75c028a2d22d85d5ae40d3c06b68d53cfb

Authored by Esmeralda Pires
0 parents
Exists in master

Primeira versão

bin/checkMergedMetadata.php
... ... @@ -0,0 +1,52 @@
  1 +#!/usr/bin/env php
  2 +<?php
  3 +
  4 +define('SIMPLESAMLPATH', dirname(dirname(dirname(dirname(__FILE__)))));
  5 +define('MODULEPATH', (dirname(dirname(__FILE__))));
  6 +ini_set('error_level', E_ALL & E_STRICT);
  7 +ini_set('display_errors', true);
  8 +
  9 +require(MODULEPATH.'/config/config.php');
  10 +
  11 +
  12 +if(!($gen = @file_get_contents(SIMPLESAMLPATH.'/'.$destinationgenerated.'/saml20-sp-merged.php'))) {
  13 + echo("failed to get generated file's contents\n");
  14 + exit(2);
  15 +}
  16 +
  17 +$gen = preg_replace('/<\?php/', '', $gen);
  18 +$gen = preg_replace('/\?>/', '', $gen);
  19 +
  20 +if(($ret = @eval($gen) === false)) {
  21 + echo("parse error in generated code\n");
  22 + exit(2);
  23 +}
  24 +
  25 +function _raise_error($msg) {
  26 + echo($msg."\n");
  27 + exit(3);
  28 +}
  29 +
  30 +if(!isset($metadata))
  31 + _raise_error('metadata variable not set');
  32 +
  33 +if(!is_array($metadata))
  34 + _raise_error('metadata variable is not an array');
  35 +
  36 +if (sizeof($metadata) < $size_of_metadata)
  37 + _raise_error('metadata array holds less than 10 items');
  38 +
  39 +foreach($metadata as $k => $m) {
  40 + if(!is_array($m))
  41 + _raise_error('metadata item '.((string)$k).' is not an array');
  42 + if(empty($m['entityid']) || !is_string($m['entityid']))
  43 + _raise_error('metadata item '.((string)$k).' has empty or non-string \'entityid\' member');
  44 + if(empty($m['authproc']) || !is_array($m['authproc']))
  45 + _raise_error('metadata item '.((string)$k).' has empty or non-array \'authproc\' member');
  46 + if(empty($m['attributes']) || !is_array($m['attributes']))
  47 + _raise_error('metadata item '.((string)$k).' has empty or non-array \'attributes\' member');
  48 +}
  49 +
  50 +exit(0);
  51 +
  52 +?>
... ...
bin/fetchFederationMetadata.php
... ... @@ -0,0 +1,31 @@
  1 +#!/usr/bin/env php
  2 +<?php
  3 +
  4 +define('SCRIPTPATH', (dirname(__FILE__)));
  5 +define('BASEPATH', dirname(dirname(dirname(dirname(__FILE__)))));
  6 +
  7 +require(SCRIPTPATH.'/../config/config.php');
  8 +
  9 +$command = BASEPATH.'/modules/metarefresh/bin/metarefresh.php -o='.$destinationgenerated.' --validate-fingerprint=' . $fingerprint . ' ' . $metadatasource . ' >'.BASEPATH.'/log/'.$logdestination;
  10 +exec($command, $output, $exitCode);
  11 +if ($exitCode != 0) {
  12 + echo($output[0]);
  13 + exit($exitCode);
  14 +}
  15 +
  16 +exec(SCRIPTPATH.'/mergeMetadata.php', $output, $exitCode);
  17 +if ($exitCode != 0) {
  18 + echo($output[0]);
  19 + exit($exitCode);
  20 +}
  21 +
  22 +exec(SCRIPTPATH.'/checkMergedMetadata.php', $output, $exitCode);
  23 +if ($exitCode != 0) {
  24 + echo($output[0]);
  25 + exit($exitCode);
  26 +}
  27 +
  28 +rename(BASEPATH.'/'.$destinationgenerated.'/saml20-sp-merged.php', BASEPATH.'/metadata/'.$destination);
  29 +exit(0);
  30 +
  31 +?>
... ...
bin/mergeMetadata.php
... ... @@ -0,0 +1,93 @@
  1 +#!/usr/bin/env php
  2 +<?php
  3 +
  4 +define('SIMPLESAMLPATH', dirname(dirname(dirname(dirname(__FILE__)))));
  5 +define('MODULEPATH', (dirname(dirname(__FILE__))));
  6 +ini_set('error_level', E_ALL & E_STRICT);
  7 +ini_set('display_errors', true);
  8 +
  9 +/*
  10 + Merge metadata-generated/saml20-sp-remote.php with ../config/saml20-sp-mixin.php
  11 + and drop superfluous fields.
  12 + Templates may be specified by entityID or by category (http://macedir.org/entity-category).
  13 + If specified by entity-category fields in the metadata dominate otherwise the template
  14 + fields overwrite fields in the imported metadata.
  15 + Merged metadata are written to metadata-generated/saml20-sp-merged.php.
  16 + */
  17 +
  18 +require(MODULEPATH.'/config/config.php');
  19 +
  20 +require_once(SIMPLESAMLPATH.'/lib/_autoload.php');
  21 +require(SIMPLESAMLPATH.'/'.$destinationgenerated.'/saml20-sp-remote.php');
  22 +require(MODULEPATH.'/config/saml20-sp-mixin.php');
  23 +
  24 +foreach($template as $url => $mdata) {
  25 + if(!isset($metadata[$url])) {
  26 + passthru("logger -t IDP-METADATA-DIFF 'INFO: template url not found in metadata array: $url'");
  27 + }
  28 +}
  29 +
  30 +if(!($fh = @fopen(SIMPLESAMLPATH.'/'.$destinationgenerated.'/saml20-sp-merged.php', 'w'))) {
  31 + echo("cannot open/create output file\n");
  32 + exit(1);
  33 +}
  34 +@fwrite($fh, "<?php\n");
  35 +
  36 +foreach($metadata as $url => $mdata) {
  37 + foreach($fieldsToStrip as $field) unset($mdata[$field]);
  38 +
  39 +// map "attributes" and "attributes.required" from OIDs to friendly names
  40 + $mapper = new sspmod_core_Auth_Process_AttributeMap(array('oid2name'), NULL);
  41 + foreach(['attributes', 'attributes.required'] as $field) {
  42 + if(isset($mdata[$field])) {
  43 + $tmp = array('Attributes' => array_fill_keys($mdata[$field], 0));
  44 + $mapper->process($tmp);
  45 + $mdata[$field] = array_keys($tmp['Attributes']);
  46 + }
  47 + }
  48 +
  49 + $templateWins = true;
  50 + if(isset($template[$url])) $currentTemplate = $template[$url];
  51 + else $currentTemplate = NULL;
  52 +
  53 + if($currentTemplate == NULL && isset($mdata['EntityAttributes']['http://macedir.org/entity-category'])) {
  54 + foreach($mdata['EntityAttributes']['http://macedir.org/entity-category'] as $category) {
  55 + if(isset($template[$category])) {
  56 + $currentTemplate = $template[$category];
  57 + $templateWins = false;
  58 + }
  59 + }
  60 + }
  61 + if($currentTemplate == NULL) $currentTemplate = $defaultTemplate;
  62 +
  63 + foreach($currentTemplate as $field => $value) {
  64 + if($templateWins || !isset($mdata[$field])) $mdata[$field] = $value;
  65 + }
  66 +
  67 + if(isset($mdata['attributes.allowed'])) {
  68 + $mdata['attributes'] = array_intersect($mdata['attributes'], $mdata['attributes.allowed']);
  69 + unset($mdata['attributes.allowed']);
  70 + }
  71 + if(isset($mdata['attributes.required']) && isset($mdata['attributes.allowed.ifRequired'])) {
  72 + $allowed = array_intersect($mdata['attributes.required'], $mdata['attributes.allowed.ifRequired']);
  73 + $mdata['attributes'] = $mdata['attributes'] + $allowed;
  74 + }
  75 + unset($mdata['attributes.allowed.ifRequired']);
  76 + unset($mdata['attributes.required']);
  77 +
  78 + // output
  79 + if(!@fwrite($fh, "\n\$metadata['$url'] = ".var_export($mdata, true).";\n")) {
  80 + echo("cannot write to output file\n");
  81 + exit(1);
  82 + }
  83 +}
  84 +
  85 +@fwrite($fh, "\n?>");
  86 +if(!@fclose($fh)) {
  87 + echo("cannot close output file\n");
  88 + exit(1);
  89 +}
  90 +
  91 +exit(0);
  92 +
  93 +?>
... ...
config/config.php
... ... @@ -0,0 +1,19 @@
  1 +<?php
  2 +
  3 +
  4 +// SP PROXY RCTSaai, downloaded from RCTSaai infrastrucuture.
  5 +
  6 +/* Metadata signer certificate SHA1 fingerprint obtained using the following command
  7 + # wget https://engine.rctsaai.pt/authentication/sp/certificate
  8 + # openssl x509 -in certificate.pem -noout -fingerprint -sha1
  9 +*/
  10 +$fingerprint = 'A0:A0:1D:11:F3:18:45:7F:64:A3:81:95:04:A5:36:EF:56:1C:35:AA';
  11 +$metadatasource = 'https://engine.rctsaai.pt/authentication/sp/metadata';
  12 +
  13 +// NOTE: You need to create <simpleSAMLphp path>/metadata/metarefresh-services/metamerge-rctsaaiproxy with privileges for
  14 +// the cronjob to create saml20-sp-remote.php inside that directory
  15 +$size_of_metadata = 1;
  16 +$destination = 'metarefresh-services/metamerge-rctsaaiproxy/saml20-sp-remote.php';
  17 +$destinationgenerated = 'metadata-generated-rctsaaiproxy';
  18 +$logdestination = 'metadataimport-rctsaaiproxy.log';
  19 +?>
... ...
config/saml20-sp-mixin.php
... ... @@ -0,0 +1,45 @@
  1 +<?php
  2 +
  3 +$fieldsToStrip = array('entityDescriptor');
  4 +
  5 +// NB: The examples assume that the authsource delivers attributes using friendly names
  6 +// and that the following global attribute filters are configured:
  7 +// 50 => 'core:AttributeLimit',
  8 +// 90 => array( 'class' => 'consent:Consent', ...),
  9 +// 95 => array('class' => 'core:AttributeMap', 'name2oid'),
  10 +
  11 +
  12 +// ---( default Service Provider configuration template )---
  13 +
  14 +
  15 +
  16 +// ---( Service Provider specific configuration templates )---
  17 +
  18 +
  19 +$template['https://engine.rctsaai.pt/authentication/sp/metadata'] = array (
  20 +
  21 + // following attributes are default values
  22 + 'attributes' => array(
  23 + 'mail',
  24 + 'displayName',
  25 + 'givenName',
  26 + 'cn',
  27 + 'sn',
  28 + 'uid',
  29 + 'eduPersonPrincipalName',
  30 + 'eduPersonEntitlement',
  31 + 'eduPersonAffiliation',
  32 + 'eduPersonScopedAffiliation',
  33 + 'schacHomeOrganization',
  34 + ),
  35 +
  36 + 'authproc' => array(
  37 + 90 => array(
  38 + 'class' => 'core:AttributeMap',
  39 + 'name2oid'
  40 + ),
  41 + ),
  42 +
  43 +);
  44 +
  45 +?>
... ...
default-disable
docs/MetaMerge.txt
... ... @@ -0,0 +1,23 @@
  1 +MetaMerge
  2 +=========
  3 +
  4 +This module augments SAML20-SP matadata that have been fetched by MetaRefresh. Elements are added either based on entityId or on entity category (http://macedir.org/entity-category). If specified by entity category fields in the metadata dominate otherwise the template fields overwrite fields in the imported metadata.
  5 +
  6 +Superfluous metadata elements can be stripped to save space.
  7 +
  8 +Merged metadata are written to metadata-generated/saml20-sp-merged.php. After a plausibility check they are moved to the destination specified in the configuration.
  9 +
  10 +Configuration files are located in the metamerge/config directory.
  11 +
  12 +config.php specifies the metadata source, its fingerprint and the path of the merged data relative to the metadata directory.
  13 +
  14 +saml20-sp-mixin.php specifies the transformation process:
  15 +
  16 +$fieldsToStrip is an array of element names to remove.
  17 +$defaultTemplate is used for entities that have no match in the template array.
  18 +$template is an array of templates indexed by entityId or category.
  19 +
  20 +'attributes.allowed' restricts the set of attributes that may be released. For use in category templates to avoid unwanted attribute releases.
  21 +'attributes.allowed.ifRequired' lists attributes that may only be released if they are marked as required. For use in category templates to avoid unwanted attribute releases.
  22 +
  23 +Usage: Enable the MetaRefresh module and call metamerge/bin/fetchFederationMetadata.php in a cron job.
0 24 \ No newline at end of file
... ...
enable