„AA Testing” változatai közötti eltérés

Innen: KIFÜ Wiki
a (Bajnokk(AT)niif.hu átnevezte a(z) HEXAATest lapot a következő névre: AA Testing)
(Source: Add argument for AA cert, remove redundancy)
 
(2 közbenső módosítás ugyanattól a szerkesztőtől nincs mutatva)
3. sor: 3. sor:
 
You need a valid principal (eduPersonPrincipalName) and the X.509 credentials of an existing Service Provider to use this script.
 
You need a valid principal (eduPersonPrincipalName) and the X.509 credentials of an existing Service Provider to use this script.
  
----
+
== Source ==
  
 
<source lang="bash">
 
<source lang="bash">
 +
 
#!/bin/bash
 
#!/bin/bash
 +
 +
basedir=$(dirname $0)
  
 
# URL of the Attribute Authority
 
# URL of the Attribute Authority
12. sor: 15. sor:
  
 
# Testing principal (subject)
 
# Testing principal (subject)
Principal=bajnokk@niif.hu
+
Principal="bajnokk@niif.hu"
  
 
# HEXAA cert
 
# HEXAA cert
AACert=/home/bajnokk/hexaa.eduid.hu-aa.crt
+
AACert="$basedir/keys/hexaa.eduid.hu-aa.crt"
  
 
# EntityID and credentials of the SP on behalf of which
 
# EntityID and credentials of the SP on behalf of which
 
# the request is made
 
# the request is made
ReqSP="https://dev.aai.niif.hu/shibboleth"
+
ReqSP="https://sp.hexaa.eduid.hu/test"
ReqCert=/etc/shibboleth/dev.aai.niif.hu.shibboleth.crt
+
ReqCert="$basedir/keys/test.sp.hexaa.eduid.hu-fed.crt"
ReqKey=/etc/shibboleth/dev.aai.niif.hu.shibboleth.key
+
ReqKey="$basedir/keys/test.sp.hexaa.eduid.hu-fed.key"
 +
 
 +
 
 +
usage () {
 +
        cat <<EOS
 +
Usage: $0 [options]
 +
 
 +
Options:
 +
  -a uri      Attribute Authority URI. Defaults to '$AA_URI'
 +
  -C certfile  Attribute Authority metadata certificate in PEM format. Defaults to '$AACert'.
 +
  -p principal Testing principal (user name / subject). Defaults to '$Principal'.
 +
  -s entity    EntityID of the SP on behalf of which the request is made. Defaults to '$ReqSP'
 +
  -k keyfile  Key file in PEM format containing the key of the SP used for the request. Defaults to '$ReqKey'
 +
  -c certfile  Cert file in PEM format containing the certificate of the SP used for the request. Defaults to '$ReqCert'
 +
EOS
 +
        exit 3
 +
}
  
 +
# Get command line arguments
 +
while getopts "a:p:s:k:c:h" opt; do
 +
        case $opt in
 +
                a)
 +
                        AA_URI=$OPTARG
 +
                        ;;
 +
                C)
 +
                        AACert=$OPTARG
 +
                        ;;
 +
                p)
 +
                        Principal=$OPTARG
 +
                        ;;
 +
                s)
 +
                        ReqSP=$OPTARG
 +
                        ;;
 +
                k)
 +
                        ReqKey=$OPTARG
 +
                        ;;
 +
                c)
 +
                        ReqCert=$OPTARG
 +
                        ;;
 +
                h)
 +
                        usage
 +
                        ;;
 +
                \?)
 +
                        usage
 +
                        ;;
 +
        esac
 +
done
  
 
DATE=$(date --utc +%FT%TZ)
 
DATE=$(date --utc +%FT%TZ)
44. sor: 92. sor:
  
 
echo "$REQ_XML" | \
 
echo "$REQ_XML" | \
   curl --cacert $AACert --cert $ReqCert --key $ReqKey \
+
   curl --silent --show-error --cacert $AACert --cert $ReqCert --key $ReqKey \
 
       --header "Content-Type: text/xml;charset=UTF-8" --data @- $AA_URI
 
       --header "Content-Type: text/xml;charset=UTF-8" --data @- $AA_URI
 
</source>
 
</source>
 +
 +
== Validation of response ==
 +
Signature validation:
 +
xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --trusted-pem $aacert $response 2>/dev/null
 +
 +
Content validation:
 +
xmllint --xpath "//*[local-name()='Attribute'][@Name='$attribute']/*[local-name()='AttributeValue']/text()" $response
 
[[Category: HOWTO]]
 
[[Category: HOWTO]]

A lap jelenlegi, 2017. szeptember 15., 20:36-kori változata

The following shell script uses curl to query a SAML2 Attribute Authority.

You need a valid principal (eduPersonPrincipalName) and the X.509 credentials of an existing Service Provider to use this script.

Source

#!/bin/bash

basedir=$(dirname $0)

# URL of the Attribute Authority
AA_URI="https://hexaa.eduid.hu:8443/simplesaml/module.php/aa/attributeserver.php"

# Testing principal (subject)
Principal="bajnokk@niif.hu"

# HEXAA cert
AACert="$basedir/keys/hexaa.eduid.hu-aa.crt"

# EntityID and credentials of the SP on behalf of which
# the request is made
ReqSP="https://sp.hexaa.eduid.hu/test"
ReqCert="$basedir/keys/test.sp.hexaa.eduid.hu-fed.crt"
ReqKey="$basedir/keys/test.sp.hexaa.eduid.hu-fed.key"


usage () {
        cat <<EOS
Usage: $0 [options]

Options:
  -a uri       Attribute Authority URI. Defaults to '$AA_URI'
  -C certfile  Attribute Authority metadata certificate in PEM format. Defaults to '$AACert'.
  -p principal Testing principal (user name / subject). Defaults to '$Principal'.
  -s entity    EntityID of the SP on behalf of which the request is made. Defaults to '$ReqSP'
  -k keyfile   Key file in PEM format containing the key of the SP used for the request. Defaults to '$ReqKey'
  -c certfile  Cert file in PEM format containing the certificate of the SP used for the request. Defaults to '$ReqCert'
EOS
        exit 3
}

# Get command line arguments
while getopts "a:p:s:k:c:h" opt; do
        case $opt in
                a)
                        AA_URI=$OPTARG
                        ;;
                C)
                        AACert=$OPTARG
                        ;;
                p)
                        Principal=$OPTARG
                        ;;
                s)
                        ReqSP=$OPTARG
                        ;;
                k)
                        ReqKey=$OPTARG
                        ;;
                c)
                        ReqCert=$OPTARG
                        ;;
                h)
                        usage
                        ;;
                \?)
                        usage
                        ;;
        esac
done

DATE=$(date --utc +%FT%TZ)
ReqID=$(hexdump -n 16 -e '4/4 "%08x" 1 "\n"' /dev/urandom)


read -r -d '' REQ_XML <<EOS
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
  <S:Body>
    <samlp:AttributeQuery xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_$ReqID" IssueInstant="$DATE" Version="2.0">
      <saml:Issuer>$ReqSP</saml:Issuer>
      <saml:Subject>
        <saml:NameID Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">$Principal</saml:NameID>
      </saml:Subject>
    </samlp:AttributeQuery>
  </S:Body>
</S:Envelope>
EOS

#debug echo "$REQ_XML"

echo "$REQ_XML" | \
  curl --silent --show-error --cacert $AACert --cert $ReqCert --key $ReqKey \
       --header "Content-Type: text/xml;charset=UTF-8" --data @- $AA_URI

Validation of response

Signature validation:

xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --trusted-pem $aacert $response 2>/dev/null

Content validation:

xmllint --xpath "//*[local-name()='Attribute'][@Name='$attribute']/*[local-name()='AttributeValue']/text()" $response