mellon_create_metadata.sh

   1 #!/usr/bin/env bash
   2 set -e
   3
   4 PROG="$(basename "$0")"
   5
   6 printUsage() {
   7     echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
   8     echo ""
   9     echo "Example:"
  10     echo "  $PROG urn:someservice https://sp.example.org/mellon"
  11     echo ""
  12 }
  13
  14 if [ "$#" -lt 2 ]; then
  15     printUsage
  16     exit 1
  17 fi
  18
  19 ENTITYID="$1"
  20 if [ -z "$ENTITYID" ]; then
  21     echo "$PROG: An entity ID is required." >&2
  22     exit 1
  23 fi
  24
  25 BASEURL="$2"
  26 if [ -z "$BASEURL" ]; then
  27     echo "$PROG: The URL to the MellonEndpointPath is required." >&2
  28     exit 1
  29 fi
  30
  31 if ! echo "$BASEURL" | grep -q '^https\?://'; then
  32     echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
  33     exit 1
  34 fi
  35
  36 HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
  37 BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
  38
  39 OUTFILE="$(echo "$ENTITYID" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')"
  40 echo "Output files:"
  41 echo "Private key:               $OUTFILE.key"
  42 echo "Certificate:               $OUTFILE.cert"
  43 echo "Metadata:                  $OUTFILE.xml"
  44 echo "Host:                      $HOST"
  45 echo
  46 echo "Endpoints:"
  47 echo "SingleLogoutService:       $BASEURL/logout"
  48 echo "AssertionConsumerService:  $BASEURL/postResponse"
  49 echo
  50
  51 # No files should not be readable by the rest of the world.
  52 umask 0077
  53
  54 TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
  55
  56 cat >"$TEMPLATEFILE" <<EOF
  57 RANDFILE           = /dev/urandom
  58 [req]
  59 default_bits       = 2048
  60 default_keyfile    = privkey.pem
  61 distinguished_name = req_distinguished_name
  62 prompt             = no
  63 policy             = policy_anything
  64 [req_distinguished_name]
  65 commonName         = $HOST
  66 EOF
  67
  68 openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
  69
  70 rm -f "$TEMPLATEFILE"
  71
  72 CERT="$(grep -v '^-----' "$OUTFILE.cert")"
  73
  74 cat >"$OUTFILE.xml" <<EOF
  75 <EntityDescriptor entityID="$ENTITYID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  76   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  77     <KeyDescriptor use="signing">
  78       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  79         <ds:X509Data>
  80           <ds:X509Certificate>$CERT</ds:X509Certificate>
  81         </ds:X509Data>
  82       </ds:KeyInfo>
  83     </KeyDescriptor>
  84     <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/logout"/>
  85     <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/postResponse" index="0"/>
  86   </SPSSODescriptor>
  87 </EntityDescriptor>
  88 EOF
  89
  90 umask 0777
  91 chmod go+r "$OUTFILE.xml"
  92 chmod go+r "$OUTFILE.cert"