Skip to content
Snippets Groups Projects
Unverified Commit 34bc94d8 authored by Pavel Vyskočil's avatar Pavel Vyskočil
Browse files

Added proxy_idp_auth_test.sh

parent 9bafc233
No related branches found
No related tags found
1 merge request!3Added proxy_idp_auth_test.sh
......@@ -17,6 +17,27 @@ paths=""
services=""
</pre>
### proxy_idp_auth_test.sh
* Attributes to be filled:
<pre>
# The url of tested SP
# For example: https://aai-playground.ics.muni.cz/simplesaml/nagios_check.php?proxy_idp=cesnet
testSite=""
# The url of login form of used IdP
# For example: https://idp2.ics.muni.cz/idp/Authn/UserPassword
loginSite=""
# Fill in login
login=""
# Fill in password as string
password=""
# Fill in the instance name
# Instance name must not contain a space
instanceName=""
</pre>
## List of plugins
Local scripts are located in /usr/lib/check_mk/plugins/
\ No newline at end of file
#!/bin/bash
# This script is used make a full roundtrip test to SimpleSAMLphp based SSO
# Exit statuses indicate problem and are suitable for usage in Nagios.
basename=$(basename $0)
# The url of tested SP
# For example: https://aai-playground.ics.muni.cz/simplesaml/nagios_check.php?proxy_idp=cesnet
testSite=""
# The url of login form of used IdP
# For example: https://idp2.ics.muni.cz/idp/Authn/UserPassword
loginSite=""
# Fill in login
login=""
# Fill in password as string
password=""
# Fill in the instance name
# Instance name must not contain a space
instanceName=""
# How long is normal for total roundtrip (seconds)
warningTime=5
# End function
end()
{
status=$1
statustxt=$2
# Clean up
rm -f ${cookieJar}
# Calculate time difference
endTime=$(date +%s%N)
totalTime=$(expr $endTime - $startTime)
timeStat=$(echo "scale=4;$totalTime / 1000000000" | bc -l)
# If OK, but time > 5s s, set to WARNING
if [[ $status -eq 0 && $totalTime -gt $(( $warningTime * 1000000000 )) ]]; then
status=1
statustxt="Successful login, but was too long."
fi
echo "$status proxy_idp_auth_test-$instanceName login_time=$timeStat $statustxt"
exit 0
}
cookieJar=$(mktemp /tmp/${basename}.XXXXXX) || exit 3
startTime=$(date +%s%N)
# REQUEST #1: fetch URL for authentication page
html=$(curl -L -sS -c ${cookieJar} -w 'LAST_URL:%{url_effective}' ${testSite}) || end 2 "Failed to fetch URL: $testSite"
# Parse HTML to get the URL where to POST login (written out by curl itself above)
authURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
authState=$(echo ${html} | sed -e 's/.*hidden[^>]*AuthState[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
# We should be redirected
if [[ $authURL == $testSite ]]; then
end 2 "No redirection to: $loginSite."
fi
# REQUEST #2: log in
html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
-d "j_username=$login" -d "j_password=$password" --data-urlencode "AuthState=${authState}" ${authURL}) || end 2 "Failed to fetch URL: $authURL"
lastURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
# We should be successfully logged in
if [[ $lastURL == $authURL ]]; then
end 2 "Invalid credentials."
fi
# We do not support JS, so parse HTML for SAML endpoint and response
proxySamlEndpoint=$(echo ${html} | sed -e 's/.*form[^>]*action=[\"'\'']\([^\"'\'']*\)[\"'\''].*method[^>].*/\1/' | php -R 'echo html_entity_decode($argn);')
proxySamlResponse=$(echo ${html} | sed -e 's/.*hidden[^>]*SAMLResponse[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
# REQUEST #3: post the SAMLResponse to proxy
html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
--data-urlencode "SAMLResponse=${proxySamlResponse}" ${proxySamlEndpoint}) || end 2 "Failed to fetch URL: $proxySamlEndpoint"
# We do not support JS, so parse HTML for SAML endpoint and response
spSamlEndpoint=$(echo ${html} | sed -e 's/.*form[^>]*action=[\"'\'']\([^\"'\'']*\)[\"'\''].*method[^>].*/\1/')
spSamlResponse=$(echo ${html} | sed -e 's/.*hidden[^>]*SAMLResponse[^>]*value=[\"'\'']\([^\"'\'']*\)[\"'\''].*/\1/')
# REQUEST #4: post the SAMLResponse to SP
html=$(curl -L -sS -c ${cookieJar} -b ${cookieJar} -w 'LAST_URL:%{url_effective}' \
--data-urlencode "SAMLResponse=${spSamlResponse}" ${spSamlEndpoint}) || end 2 "Failed to fetch URL: $spSamlEndpoint"
lastURL=$(echo ${html} | sed -e 's/.*LAST_URL:\(.*\)$/\1/')
if [[ $lastURL == $testSite ]]; then
result=$(echo ${html} | sed -e 's/.*<body>\s*Result-\(.*\)<.*$/\1/')
if [[ $result == "OK " ]]; then
end 0 "Successful login"
else
end 2 "Bad result: $result."
fi
else
end 2 "Not redirected back to: $testSite."
fi
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment