Skip to content
Snippets Groups Projects
Unverified Commit 14ee2abb authored by Pavel Vyskočil's avatar Pavel Vyskočil
Browse files

Added script for testing login via active ProxyIdP node

parent a6ccc90e
No related branches found
No related tags found
1 merge request!5Added script for testing login via active ProxyIdP node
......@@ -46,3 +46,20 @@ instanceName=""
## List of plugins
Plugins are located in /usr/lib/check_mk/plugins/
## Nagios active scripts
Active scripts are located in Nagios machine
### proxy_idp_auth_test_nagios.sh
This script checks the login via active ProxyIdP machine
* How to run this script:
* Params:
* 1 - The url of tested SP
* 2 - The url of login form of used IdP
* 3 - Login
* 4 - Password
* Example:
<pre>
./proxy_idp_auth_test_active.sh "https://aai-playground.ics.muni.cz/simplesaml/nagios_check.php?proxy_idp=cesnet" "https://idp2.ics.muni.cz/idp/Authn/UserPassword" "login" "passwd"
</pre>
\ No newline at end of file
#!/bin/bash
# This script is used make a full roundtrip test to SimpleSAMLphp based SSO
# Exit statuses indicate problem and are suitable for usage in Nagios.
basename=$(basename $0)
# The url of tested SP
testSite=$1
# The url of login form of used IdP
loginSite=$2
# Login
login=$3
# Password
password=$4
# How long is normal for total roundtrip (seconds)
warningTime=10
# End function
end()
{
status=$1
statustxt=$2
# Clean up
rm -f ${cookieJar}
# Calculate time difference
endTime=$(date +%s%N)
totalTime=$(expr $endTime - $startTime)
timeStat=$(echo "scale=4;$totalTime / 1000000000" | bc -l)
# If OK, but time > 5s s, set to WARNING
if [[ $status -eq 0 && $totalTime -gt $(( $warningTime * 1000000000 )) ]]; then
status=1
statustxt="WARN - Successful login, but was too long."
fi
echo $statustxt
exit $status
}
cookieJar=$(mktemp /tmp/${basename}.XXXXXX) || exit 3
startTime=$(date +%s%N)
# REQUEST #1: fetch URL for authentication page
html=$(curl -L -sS -c ${cookieJar} -w 'LAST_URL:%{url_effective}' ${testSite}) || end 2 "CRIT - Failed to fetch URL: $testSite"
# Parse HTML to get the URL where to POST login (written out by curl itself above)
authURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
authState=$(echo ${html} | sed -e 's/.*hidden[^>]*AuthState[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
# We should be redirected
if [[ $authURL == $testSite ]]; then
end 2 "No redirection to: $loginSite."
fi
# REQUEST #2: log in
html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
-d "j_username=$login" -d "j_password=$password" --data-urlencode "AuthState=${authState}" ${authURL}) || end 2 "CRIT - Failed to fetch URL: $authURL"
lastURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
# We should be successfully logged in
if [[ $lastURL == $authURL ]]; then
end 2 "Invalid credentials."
fi
# We do not support JS, so parse HTML for SAML endpoint and response
proxySamlEndpoint=$(echo ${html} | sed -e 's/.*form[^>]*action=[\"'\'']\([^\"'\'']*\)[\"'\''].*method[^>].*/\1/' | php -R 'echo html_entity_decode($argn);')
proxySamlResponse=$(echo ${html} | sed -e 's/.*hidden[^>]*SAMLResponse[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
# REQUEST #3: post the SAMLResponse to proxy
html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
--data-urlencode "SAMLResponse=${proxySamlResponse}" ${proxySamlEndpoint}) || end 2 "CRIT - Failed to fetch URL: $proxySamlEndpoint"
# We do not support JS, so parse HTML for SAML endpoint and response
spSamlEndpoint=$(echo ${html} | sed -e 's/.*form[^>]*action=[\"'\'']\([^\"'\'']*\)[\"'\''].*method[^>].*/\1/')
spSamlResponse=$(echo ${html} | sed -e 's/.*hidden[^>]*SAMLResponse[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
# REQUEST #4: post the SAMLResponse to SP
html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
--data-urlencode "SAMLResponse=${spSamlResponse}" ${spSamlEndpoint}) || end 2 "CRIT - Failed to fetch URL: $spSamlEndpoint"
lastURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
if [[ $lastURL == $testSite ]]; then
result=$(echo ${html} | sed -e 's/.*<body>\s*Result-\(.*\)<.*$/\1/')
if [[ $result == "OK " ]]; then
end 0 "OK - Successful login"
else
end 2 "CRIT - Bad result: $result."
fi
else
end 2 "CRIT - Not redirected back to: $testSite."
fi
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment