From 34bc94d8d1cab464f55423ab1ec619675d068901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Vysko=C4=8Dil?= <vyskocilpavel@muni.cz>
Date: Mon, 25 Feb 2019 12:25:32 +0100
Subject: [PATCH] Added proxy_idp_auth_test.sh

---
 README.md              |  21 ++++++++
 proxy_idp_auth_test.sh | 108 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)
 create mode 100755 proxy_idp_auth_test.sh

diff --git a/README.md b/README.md
index 44a27cb..6e2d718 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,27 @@ paths=""
 services=""
 </pre>
 
+### proxy_idp_auth_test.sh
+* Attributes to be filled:
+<pre>
+# The url of tested SP
+# For example: https://aai-playground.ics.muni.cz/simplesaml/nagios_check.php?proxy_idp=cesnet
+testSite=""
+
+# The url of login form of used IdP
+# For example: https://idp2.ics.muni.cz/idp/Authn/UserPassword
+loginSite=""
+
+# Fill in login
+login=""
+
+# Fill in password as string
+password=""
+
+# Fill in the instance name
+# Instance name must not contain a space
+instanceName=""
+</pre>
 
 ## List of plugins
 Local scripts are located in /usr/lib/check_mk/plugins/ 
\ No newline at end of file
diff --git a/proxy_idp_auth_test.sh b/proxy_idp_auth_test.sh
new file mode 100755
index 0000000..9e1e4c9
--- /dev/null
+++ b/proxy_idp_auth_test.sh
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+# This script is used make a full roundtrip test to SimpleSAMLphp based SSO
+# Exit statuses indicate problem and are suitable for usage in Nagios.
+
+basename=$(basename $0)
+
+# The url of tested SP
+# For example: https://aai-playground.ics.muni.cz/simplesaml/nagios_check.php?proxy_idp=cesnet
+testSite=""
+
+# The url of login form of used IdP
+# For example: https://idp2.ics.muni.cz/idp/Authn/UserPassword
+loginSite=""
+
+# Fill in login
+login=""
+
+# Fill in password as string
+password=""
+
+# Fill in the instance name
+# Instance name must not contain a space
+instanceName=""
+
+# How long is normal for total roundtrip (seconds)
+warningTime=5
+
+# End function
+end()
+{
+status=$1
+statustxt=$2
+
+# Clean up
+rm -f ${cookieJar}
+
+# Calculate time difference
+endTime=$(date +%s%N)
+totalTime=$(expr $endTime - $startTime)
+timeStat=$(echo "scale=4;$totalTime / 1000000000" | bc -l)
+
+# If OK, but time > 5s s, set to WARNING
+if [[ $status -eq 0 &&  $totalTime -gt $(( $warningTime * 1000000000 )) ]]; then
+    status=1
+    statustxt="Successful login, but was too long."
+fi
+
+echo "$status proxy_idp_auth_test-$instanceName login_time=$timeStat $statustxt"
+exit 0
+}
+
+cookieJar=$(mktemp /tmp/${basename}.XXXXXX) || exit 3
+
+startTime=$(date +%s%N)
+
+# REQUEST #1: fetch URL for authentication page
+html=$(curl -L -sS -c ${cookieJar} -w 'LAST_URL:%{url_effective}' ${testSite}) || end 2 "Failed to fetch URL: $testSite"
+
+# Parse HTML to get the URL where to POST login (written out by curl itself above)
+authURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
+authState=$(echo ${html} | sed -e 's/.*hidden[^>]*AuthState[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
+
+# We should be redirected
+if [[ $authURL == $testSite ]]; then
+    end 2 "No redirection to: $loginSite."
+fi
+
+# REQUEST #2: log in
+html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
+-d "j_username=$login" -d  "j_password=$password" --data-urlencode "AuthState=${authState}" ${authURL}) || end 2 "Failed to fetch URL: $authURL"
+
+lastURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
+
+# We should be successfully logged in
+if [[ $lastURL == $authURL ]]; then
+    end 2 "Invalid credentials."
+fi
+
+# We do not support JS, so parse HTML for SAML endpoint and response
+proxySamlEndpoint=$(echo ${html} | sed -e 's/.*form[^>]*action=[\"'\'']\([^\"'\'']*\)[\"'\''].*method[^>].*/\1/' | php -R 'echo html_entity_decode($argn);')
+proxySamlResponse=$(echo ${html} | sed -e 's/.*hidden[^>]*SAMLResponse[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
+
+# REQUEST #3: post the SAMLResponse to proxy
+html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
+  --data-urlencode "SAMLResponse=${proxySamlResponse}" ${proxySamlEndpoint}) || end 2 "Failed to fetch URL: $proxySamlEndpoint"
+
+# We do not support JS, so parse HTML for SAML endpoint and response
+spSamlEndpoint=$(echo ${html} | sed -e 's/.*form[^>]*action=[\"'\'']\([^\"'\'']*\)[\"'\''].*method[^>].*/\1/')
+spSamlResponse=$(echo ${html} | sed -e 's/.*hidden[^>]*SAMLResponse[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
+
+# REQUEST #4: post the SAMLResponse to SP
+html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
+  --data-urlencode "SAMLResponse=${spSamlResponse}" ${spSamlEndpoint}) || end 2 "Failed to fetch URL: $spSamlEndpoint"
+
+lastURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
+
+if [[ $lastURL ==  $testSite ]]; then
+    result=$(echo ${html} | sed -e 's/.*<body>\s*Result-\(.*\)<.*$/\1/')
+    if [[ $result == "OK " ]]; then
+        end 0 "Successful login"
+    else
+        end 2 "Bad result: $result."
+    fi
+
+else
+    end 2 "Not redirected back to: $testSite."
+fi
-- 
GitLab