summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorLeif Johansson <leifj@sunet.se>2019-01-14 10:34:54 +0100
committerLeif Johansson <leifj@sunet.se>2019-01-14 10:34:54 +0100
commit457533034d1e0070323f9ca49a4bf8ddde5f882e (patch)
tree695d2878f76faffc5715e1ea2bb855c77936d9f9 /scripts
initial import
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/bump-tag46
-rwxr-xr-xscripts/do-update.sh3
-rwxr-xr-xscripts/get-metadata.sh80
-rwxr-xr-xscripts/tidy16
-rwxr-xr-xscripts/update-trust29
-rwxr-xr-xscripts/verify-tag14
6 files changed, 188 insertions, 0 deletions
diff --git a/scripts/bump-tag b/scripts/bump-tag
new file mode 100755
index 0000000..af4ee40
--- /dev/null
+++ b/scripts/bump-tag
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+test -f .env && . ./.env
+
+git pull
+
+deftag=`basename $PWD`
+tagpfx=${tag:="$deftag"}
+
+last_tag=`git tag -l "${tagpfx}-*"|sort|tail -1`
+
+echo "Verifying last tag $last_tag:"
+(git tag -v $last_tag | grep ^gpg:) || true
+# again to not mask exit status of git with grep
+git tag -v $last_tag > /dev/null 2>&1
+echo ""
+
+echo "Differences between tag $last_tag and what you are about to sign:"
+PAGER=cat git diff $last_tag..master
+
+iter=1
+ok=
+while test -z "$ok"; do
+ this_tag=$(date +${tagpfx}-%Y-%m-%d-v`printf "%02d" $iter`)
+ iter=`expr $iter + 1`
+ case `(echo $this_tag; echo $last_tag) | sort | tail -1` in
+ $last_tag)
+ ;;
+ $this_tag)
+ ok=yes
+ ;;
+ esac
+done
+
+echo ""
+echo "Using new tag $this_tag"
+echo ONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE
+
+# GITTAGEXTRA is for putting things like "-u 2117364A"
+
+git tag $GITTAGEXTRA -m bump. -s $this_tag
+
+git push
+git push --tags
diff --git a/scripts/do-update.sh b/scripts/do-update.sh
new file mode 100755
index 0000000..555d9ab
--- /dev/null
+++ b/scripts/do-update.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+cd /var/cache/metadata_r1 && make update
diff --git a/scripts/get-metadata.sh b/scripts/get-metadata.sh
new file mode 100755
index 0000000..3d97561
--- /dev/null
+++ b/scripts/get-metadata.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+#
+# Fetch Service Provider metadata and save into entityid filename
+#
+
+error()
+{
+ echo "Error: $*" 1>&2
+ exit 1
+}
+
+metadataurl=$1
+if [ -z "$metadataurl" ] ; then
+ cat <<EOF
+Usage: `basename $0` <metadataurl>
+Ex: `basename $0` https://shibsp.mysite.com/Shibboleth.sso/Metadata
+ `basename $0` https://shibidp.mysite.com/idp/profile/Metadata/SAML
+ `basename $0` some-downloaded-metadata.xml
+ `basename $0` reep:<entityid>
+ `basename $0` mdq:<entityid>
+ `basename $0` <hostname> (tries to pull from standard locations)
+EOF
+ exit 1
+fi
+
+script_cwd=`dirname "$0"`
+if test -d md ; then
+ echo "Moving into md/"
+ cd md
+ echo "$script_cwd" | grep -q ^/ || script_cwd=../$script_cwd
+fi
+
+if echo "$metadataurl" | grep -qE '^http://|^https://' ; then
+ metadata=`curl -L -s -k -f "$metadataurl"`
+elif echo "$metadataurl" | grep -qE '^reep:' ; then
+ id=`echo -n "$metadataurl" | sed 's/^reep://' | sha1sum | awk '{print $1}'`
+ metadataurl="http://md.reep.refeds.org/entities/%7Bsha1%7D$id"
+ metadata=`curl -L -s -k -f "$metadataurl"`
+elif echo "$metadataurl" | grep -qE '^mdq:' ; then
+ id=`echo -n "$metadataurl" | sed 's/^mdq://' | sha1sum | awk '{print $1}'`
+ metadataurl="$MDQ/%7Bsha1%7D$id"
+ metadata=`curl -L -s -k -f "$metadataurl"`
+else
+ if [ -s "${metadataurl}" ]; then
+ metadata=`cat "$metadataurl"`
+ else
+ urls="https://${metadataurl}/idp/shibboleth https://${metadataurl}/Shibboleth.sso/Metadata https://${metadataurl}/saml/index/sp-metadata https://${metadataurl}/saml/metadata"
+ for i in ${urls}; do
+ metadata=`curl -L -s -k -f "${i}"`
+ [ -n "${metadata}" ] && break
+ done
+ fi
+fi
+[ -n "$metadata" ] || error "Failed to fetch metadata from $metadataurl"
+
+entityid=`echo "$metadata" | sed -n 's/.*entityID=['\''"]\([^"]*\)['\''"].*/\1/p'`
+[ -n "$entityid" ] || error "Failed to find entityID in metadata"
+[ `echo "$entityid" | wc -l` = 1 ] || error "Multiple entityid:s found: `echo $entityid`"
+
+entityidfn=`echo "$entityid" | sed 's;https*://;;' | tr 'A-Z' 'a-z' | sed 's;/$;;' | sed 's/[^a-z0-9_.-]/-/g' | sed 's/\.xml$//;s/$/.xml/'`
+[ -n "$entityidfn" ] || error "Failed to generate filename from entityid $entityid"
+
+[ -r "$entityidfn" ] && new=false || new=true
+if $new ; then
+ echo -n "Save metadata into $entityidfn [Y/n]? "
+else
+ echo -n "Replace $entityidfn with metadata [Y/n]? "
+fi
+read x
+case $x in
+ Y|y|"")
+ echo "$metadata" > $entityidfn
+ tmp=`mktemp`
+ xsltproc $script_cwd/../xslt/clean-entitydescriptor.xsl ${entityidfn} > ${tmp} && mv ${tmp} ${entityidfn}
+ ;;
+ *)
+ echo "Nothing done"
+ ;;
+esac
+
diff --git a/scripts/tidy b/scripts/tidy
new file mode 100755
index 0000000..0cbd3e8
--- /dev/null
+++ b/scripts/tidy
@@ -0,0 +1,16 @@
+#!/bin/bash
+#
+# Tidy one XML file
+#
+if [ -z "$1" ]; then
+ echo "Usage $0 <file to tidy>"
+ exit
+fi
+
+if [ ! -r $1 ]; then
+ echo "Cant find $1"
+ exit
+fi
+
+xsltproc xslt/clean-entitydescriptor.xsl $1 > $1.c && mv $1.c $1
+
diff --git a/scripts/update-trust b/scripts/update-trust
new file mode 100755
index 0000000..9ff7e78
--- /dev/null
+++ b/scripts/update-trust
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+export GNUPGHOME=/etc/metadata/gnupg
+mkdir -p $GNUPGHOME
+chmod 0700 $GNUPGHOME
+export GPG=gpg2
+
+# Install new keys discovered in the keys directory
+for k in keys/*.pub; do
+ fp=`$GPG --with-colons --with-fingerprint < $k | awk -F: '$1 == "pub" {print $5}'`
+ fp_in_db=`$GPG --with-colons --fingerprint | grep ":$fp:"`
+ if [ "x`echo $fp_in_db | grep '^pub:e:'`" != "x" ]; then
+ echo "$0: Key expired, will re-import it from $k"
+ $GPG --fingerprint $fp
+ fi
+ # The removal of any ^pub:e: entrys means to ignore expired keys - thereby importing them again.
+ echo $fp_in_db | grep -v "^pub:e:" | grep -q ":$fp:" || $GPG --import < $k
+done
+
+# Delete keys no longer present in keys directory
+for fp in `$GPG --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do
+ seen="no"
+ for k in keys/*.pub; do
+ $GPG --with-colons --with-fingerprint < $k | grep -q ":$fp:" && seen="yes"
+ done
+ if [ "x$seen" = "xno" ]; then
+ $GPG --yes --batch --delete-key $fp || true
+ fi
+done
diff --git a/scripts/verify-tag b/scripts/verify-tag
new file mode 100755
index 0000000..b482e9d
--- /dev/null
+++ b/scripts/verify-tag
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+export GNUPGHOME=/etc/metadata/gnupg
+mkdir -p $GNUPGHOME
+export GPG=gpg2
+
+git config --global gpg.program gpg2
+
+tag=$(git tag -l "md-[0-9]*" | sort | tail -1)
+if [ -z "$tag" ]; then
+ echo "no matching tag found"
+ exit 1
+fi
+git checkout $tag && git tag -v $tag
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-02 19:58:20 +0000