|
| 1 | +#!/usr/bin/env php |
| 2 | +<?php |
| 3 | + |
| 4 | +/* |
| 5 | + * This script can be used to generate metadata for SimpleSAMLphp |
| 6 | + * based on an XML metadata file. |
| 7 | + */ |
| 8 | +use RobRichards\XMLSecLibs\XMLSecurityDSig; |
| 9 | + |
| 10 | + |
| 11 | +// This is the base directory of the SimpleSAMLphp installation |
| 12 | +$baseDir = dirname(dirname(dirname(dirname(__FILE__)))); |
| 13 | + |
| 14 | +// Add library autoloader. |
| 15 | +require_once($baseDir.'/lib/_autoload.php'); |
| 16 | + |
| 17 | +if (!\SimpleSAML\Module::isModuleEnabled('metarefresh')) { |
| 18 | + echo "You need to enable the metarefresh module before this script can be used.\n"; |
| 19 | + echo "You can enable it by running the following command:\n"; |
| 20 | + echo ' echo >"'.$baseDir.'/modules/metarefresh/enable'."\"\n"; |
| 21 | + exit(1); |
| 22 | +} |
| 23 | + |
| 24 | +// Initialize the configuration |
| 25 | +$configdir = \SimpleSAML\Utils\Config::getConfigDir(); |
| 26 | +\SimpleSAML\Configuration::setConfigDir($configdir); |
| 27 | + |
| 28 | +// $outputDir contains the directory we will store the generated metadata in |
| 29 | +$outputDir = $baseDir.'/metadata-generated'; |
| 30 | + |
| 31 | + |
| 32 | +/* $toStdOut is a boolean telling us wheter we will print the output to stdout instead |
| 33 | + * of writing it to files in $outputDir. |
| 34 | + */ |
| 35 | +$toStdOut = false; |
| 36 | + |
| 37 | +/* $certificates contains the certificates which should be used to check the signature of the signed |
| 38 | + * EntityDescriptor in the metadata, or NULL if signature verification shouldn't be done. |
| 39 | + */ |
| 40 | +$certificates = null; |
| 41 | + |
| 42 | +/* $validateFingerprint contains the fingerprint of the certificate which should have been used |
| 43 | + * to sign the EntityDescriptor in the metadata, or NULL if fingerprint validation shouldn't be |
| 44 | + * done. |
| 45 | + */ |
| 46 | +$validateFingerprint = null; |
| 47 | + |
| 48 | +/* $validateFingerprintAlgorithm is the algorithm to use to compute the fingerprint of the |
| 49 | + * certificate that signed the metadata. |
| 50 | + */ |
| 51 | +$validateFingerprintAlgorithm = null; |
| 52 | + |
| 53 | +// This variable contains the files we will parse |
| 54 | +$files = []; |
| 55 | + |
| 56 | +// Parse arguments |
| 57 | + |
| 58 | +$progName = array_shift($argv); |
| 59 | + |
| 60 | +foreach ($argv as $a) { |
| 61 | + if (strlen($a) === 0) { |
| 62 | + continue; |
| 63 | + } |
| 64 | + |
| 65 | + if ($a[0] !== '-') { |
| 66 | + // Not an option. Assume that it is a file we should parse |
| 67 | + $files[] = $a; |
| 68 | + continue; |
| 69 | + } |
| 70 | + |
| 71 | + if (strpos($a, '=') !== false) { |
| 72 | + $p = strpos($a, '='); |
| 73 | + $v = substr($a, $p + 1); |
| 74 | + $a = substr($a, 0, $p); |
| 75 | + } else { |
| 76 | + $v = null; |
| 77 | + } |
| 78 | + |
| 79 | + // Map short options to long options |
| 80 | + $shortOptMap = [ |
| 81 | + '-h' => '--help', |
| 82 | + '-o' => '--out-dir', |
| 83 | + '-s' => '--stdout', |
| 84 | + ]; |
| 85 | + if (array_key_exists($a, $shortOptMap)) { |
| 86 | + $a = $shortOptMap[$a]; |
| 87 | + } |
| 88 | + |
| 89 | + switch ($a) { |
| 90 | + case '--certificate': |
| 91 | + if ($v === null || strlen($v) === 0) { |
| 92 | + echo 'The --certficate option requires an parameter.'."\n"; |
| 93 | + echo 'Please run `'.$progName.' --help` for usage information.'."\n"; |
| 94 | + exit(1); |
| 95 | + } |
| 96 | + $certificates[] = $v; |
| 97 | + break; |
| 98 | + case '--validate-fingerprint': |
| 99 | + if ($v === null || strlen($v) === 0) { |
| 100 | + echo 'The --validate-fingerprint option requires an parameter.'."\n"; |
| 101 | + echo 'Please run `'.$progName.' --help` for usage information.'."\n"; |
| 102 | + exit(1); |
| 103 | + } |
| 104 | + $validateFingerprint = $v; |
| 105 | + break; |
| 106 | + case '--validate-fingerprint-algorithm': |
| 107 | + $validateFingerprintAlgorithm = $v; |
| 108 | + break; |
| 109 | + case '--help': |
| 110 | + printHelp(); |
| 111 | + exit(0); |
| 112 | + case '--out-dir': |
| 113 | + if ($v === null || strlen($v) === 0) { |
| 114 | + echo 'The --out-dir option requires an parameter.'."\n"; |
| 115 | + echo 'Please run `'.$progName.' --help` for usage information.'."\n"; |
| 116 | + exit(1); |
| 117 | + } |
| 118 | + $outputDir = $baseDir.($v[0] == '/' ? $v : '/'.$v); |
| 119 | + break; |
| 120 | + case '--stdout': |
| 121 | + $toStdOut = true; |
| 122 | + break; |
| 123 | + default: |
| 124 | + echo 'Unknown option: '.$a."\n"; |
| 125 | + echo 'Please run `'.$progName.' --help` for usage information.'."\n"; |
| 126 | + exit(1); |
| 127 | + } |
| 128 | +} |
| 129 | + |
| 130 | +if (count($files) === 0) { |
| 131 | + echo $progName.': Missing input files. Please run `'.$progName.' --help` for usage information.'."\n"; |
| 132 | + exit(1); |
| 133 | +} |
| 134 | + |
| 135 | +// The metadata global variable will be filled with the metadata we extract |
| 136 | +$metaloader = new \SimpleSAML\Module\metarefresh\MetaLoader(); |
| 137 | + |
| 138 | +foreach ($files as $f) { |
| 139 | + $source = ['src' => $f]; |
| 140 | + if (isset($certificates)) { |
| 141 | + $source['certificates'] = $certificates; |
| 142 | + } |
| 143 | + if (isset($validateFingerprint)) { |
| 144 | + $source['validateFingerprint'] = $validateFingerprint; |
| 145 | + } |
| 146 | + if (isset($validateFingerprintAlgorithm)) { |
| 147 | + $source['validateFingerprintAlgorithm'] = $validateFingerprintAlgorithm; |
| 148 | + } |
| 149 | + $metaloader->loadSource($source); |
| 150 | +} |
| 151 | + |
| 152 | +if ($toStdOut) { |
| 153 | + $metaloader->dumpMetadataStdOut(); |
| 154 | +} else { |
| 155 | + $metaloader->writeMetadataFiles($outputDir); |
| 156 | +} |
| 157 | + |
| 158 | +/** |
| 159 | + * This function prints the help output. |
| 160 | + * @return void |
| 161 | + */ |
| 162 | +function printHelp() |
| 163 | +{ |
| 164 | + global $progName; |
| 165 | + |
| 166 | + /* '======================================================================' */ |
| 167 | + echo 'Usage: '.$progName.' [options] [files]'."\n"; |
| 168 | + echo "\n"; |
| 169 | + echo 'This program parses a SAML metadata files and output pieces that can'."\n"; |
| 170 | + echo 'be added to the metadata files in metadata/.'."\n"; |
| 171 | + echo "\n"; |
| 172 | + echo 'Options:'."\n"; |
| 173 | + echo ' --certificate=<FILE> The certificate which should be used'."\n"; |
| 174 | + echo ' to check the signature of the metadata.'."\n"; |
| 175 | + echo ' The file are stored in the cert dir.'."\n"; |
| 176 | + echo ' It is possibility to add multiple'."\n"; |
| 177 | + echo ' --certificate options to handle'."\n"; |
| 178 | + echo ' key rollover.'."\n"; |
| 179 | + echo ' --validate-fingerprint=<FINGERPRINT>'."\n"; |
| 180 | + echo ' Check the signature of the metadata,'."\n"; |
| 181 | + echo ' and check the fingerprint of the'."\n"; |
| 182 | + echo ' certificate against <FINGERPRINT>.'."\n"; |
| 183 | + echo ' --validate-fingerprint-algorithm=<ALGORITHM>'."\n"; |
| 184 | + echo ' Use <ALGORITHM> to validate fingerprint of'."\n"; |
| 185 | + echo ' the certificate that signed the metadata.'."\n"; |
| 186 | + echo ' Default: '.XMLSecurityDSig::SHA1.".\n"; |
| 187 | + echo ' -h, --help Print this help.'."\n"; |
| 188 | + echo ' -o=<DIR>, --out-dir=<DIR> Write the output to this directory. The'."\n"; |
| 189 | + echo ' default directory is metadata-generated/.'."\n"; |
| 190 | + echo ' Path will be relative to the SimpleSAMLphp'."\n"; |
| 191 | + echo ' base directory.'."\n"; |
| 192 | + echo ' -s, --stdout Write the output to stdout instead of'."\n"; |
| 193 | + echo ' seperate files in the output directory.'."\n"; |
| 194 | + echo "\n"; |
| 195 | +} |
0 commit comments