aaf-mdqt 0.8.0

data/lib/mdqt/cli/base.rb

@@ -0,0 +1,190 @@
+module MDQT
+
+  class CLI
+
+    class Base
+
+      require 'mdqt/cli'
+      require 'pastel'
+      require 'pathname'
+
+      def self.run(args, options)
+
+        check_requirements(options)
+        introduce(options)
+
+        self.new(args, options).run
+      end
+
+      def self.check_requirements(options)
+
+        unless options.service == :not_required
+          abort "No MDQ service URL has been specified. Please use --service, MDQT_SERVICE or MDQ_BASE_URL" unless service_url(options).to_s.start_with?("http")
+        end
+
+        if options.save_to
+          dir = options.save_to
+          begin
+            FileUtils.mkdir_p(dir) unless File.exist?(dir)
+          rescue
+            abort "Error: Directory #{dir} did not exist, and we can't create it"
+          end
+          abort "Error: '#{dir}' is not a writable directory!" if (File.directory?(dir) && !File.writable?(dir))
+          abort "Error: '#{dir}' is not a directory!" unless File.directory?(dir)
+        end
+
+      end
+
+      def self.introduce(options)
+        if options.verbose
+          STDERR.puts "MDQT version #{MDQT::VERSION}"
+          STDERR.puts "Using #{service_url(options)}" unless options.service == :not_required
+          STDERR.puts "Caching is #{MDQT::CLI::CacheControl.caching_on?(options) ? 'on' : 'off'}"
+          STDERR.print "XML validation is #{MDQT::Client.verification_available? ? 'available' : 'not available'}"
+          STDERR.puts " #{options.validate ? "and active" : "but inactive"} for this request" if MDQT::Client.verification_available?
+          STDERR.print "Signature verification is #{MDQT::Client.verification_available? ? 'available' : 'not available'}"
+          STDERR.puts " #{options.verify_with ? "and active" : "but inactive"} for this request" if MDQT::Client.verification_available?
+          STDERR.puts "Output directory for saved files is: #{File.absolute_path(options.save_to)}" if options.save_to
+          STDERR.puts("Warning! TLS certificate verification has been disabled!") if options.tls_risky
+          STDERR.puts
+        end
+      end
+
+      def initialize(cli_args, options)
+        piped_input = get_stdin
+        @args = cli_args.concat(piped_input)
+        @options = options
+      end
+
+      def get_stdin
+        return $stdin.readlines.map(&:split).flatten.map(&:strip) if pipeable?
+        []
+      end
+
+      def pipeable?
+        return false if ENV["MDQT_STDIN"].to_s.strip.downcase == "off" # Workaround Aruba testing weirdness?
+        !STDIN.tty? && !$stdin.closed? && $stdin.stat.pipe?
+      end
+
+      def args
+        @args
+      end
+
+      def options=(new_options)
+        @options = new_options
+      end
+
+      def options
+        @options
+      end
+
+      def self.service_url(options)
+
+        return nil if options.service == :not_required
+
+        choice = options.service.to_s.strip
+
+        if choice.downcase.start_with? "http"
+          normalize_base_url(choice)
+        else
+          Defaults.lookup_service_alias(choice)
+        end
+
+      end
+
+      def service_url(options)
+        self.class.service_url(options)
+      end
+
+      def output(response)
+        if response.ok?
+          yay response.message
+          hey explain(response) if options.explain
+          trailer = response.data[-1] == "\n" ? "" : "\n"
+          response.data + trailer
+        else
+          hey response.message
+        end
+
+      end
+
+      def explain(response)
+        unless response.explanation.empty?
+          require 'terminal-table'
+          misc_rows = [['URL', response.explanation[:url]], ["Method", response.explanation[:method]], ['Status', response.explanation[:status]]]
+          req_header_rows = response.explanation[:request_headers].map { |k, v| ['C', k, v] }
+          resp_header_rows = response.explanation[:response_headers].map { |k, v| ['S', k, v] }
+
+          btw Terminal::Table.new :title => "HTTP Misc", :rows => misc_rows
+          btw Terminal::Table.new :title => "Client Request Headers", :headings => ['C/S', 'Header', 'Value'], :rows => req_header_rows
+          btw Terminal::Table.new :title => "Server Response Headers", :headings => ['C/S', 'Header', 'Value'], :rows => resp_header_rows
+
+        end
+      end
+
+      def advise_on_xml_signing_support
+        hey "XML signature verification and XML validation are not available. Install the 'xmldsig' gem if you can." unless MDQT::Client.verification_available?
+      end
+
+      def extract_certificate_paths(cert_paths = options.verify_with)
+        cert_paths.collect do |cert_path|
+          begin
+            halt! "Cannot read certificate at '#{cert_path}'!" unless File.readable?(cert_path)
+            halt! "File at '#{cert_path}' does not seem to be a PEM format certificate" unless IO.binread(cert_path).include?("-----BEGIN CERTIFICATE-----")
+            cert_path
+          rescue
+            halt! "Unable to validate the certificate at '#{cert_path}'"
+          end
+        end
+      end
+
+      def colour_shell?
+        TTY::Color.color?
+      end
+
+      def pastel
+        @pastel ||= Pastel.new
+      end
+
+      def say(text)
+        STDOUT.puts(text)
+      end
+
+      def hey(comment)
+        STDERR.puts(comment)
+      end
+
+      def btw(comment)
+        STDERR.puts(comment) if options.verbose
+      end
+
+      def yay(comment)
+        btw pastel.green(comment)
+      end
+
+      def halt!(comment)
+        abort pastel.red("Error: #{comment}")
+      end
+
+      def run
+        halt! "No action has been defined for this command!"
+      end
+
+      private
+
+      ## Base URLs should end with a "/", it might be easier to just add one rather than raise an error
+      def self.normalize_base_url(url)
+        if url.end_with?('/')
+          url
+        else
+          "#{url}/"
+        end
+      end
+
+    end
+
+  end
+
+  #
+end
+

data/lib/mdqt/cli/cache_control.rb

@@ -0,0 +1,25 @@
+module MDQT
+  class CLI
+
+    class CacheControl
+
+      class << self
+
+        def caching_on?(options)
+          return false if cache_type(options) == :none
+          true
+        end
+
+        def cache_type(options)
+          return :none if options.refresh
+          return :memcache if options.cache && options.memcache
+          return :file if options.cache
+          :none
+        end
+
+      end
+
+    end
+  end
+
+end

data/lib/mdqt/cli/check.rb

@@ -0,0 +1,78 @@
+module MDQT
+
+  class CLI
+
+    require 'mdqt/cli/base'
+
+    class Check < Base
+
+      def run
+
+        options.validate = true
+
+        advise_on_xml_signing_support
+        halt!("Cannot check a metadata file without XML support: please install additional gems") unless MDQT::Client.verification_available?
+
+        client = MDQT::Client.new(
+          service_url(options),
+          verbose: options.verbose,
+          explain: options.explain ? true : false,
+        )
+
+        cert_paths = options.verify_with ? extract_certificate_paths(options.verify_with) : []
+
+        args.each do |filename|
+
+          filename = File.absolute_path(filename)
+          file = client.open_metadata(filename)
+
+          halt!("Cannot access file #{filename}") unless file.readable?
+
+          halt!("XML validation failed for #{filename}:\n#{file.validation_error}") unless file.valid?
+          btw "File #{filename} is valid SAML Metadata XML"
+
+          if options.verify_with
+            halt! "XML in #{filename} is not signed, cannot verify!" unless file.signed?
+            halt! "The signed XML for #{filename} cannot be verified using #{cert_paths.to_sentence}" unless file.verified_signature?(cert_paths)
+            btw "Signed XML for #{filename} has been verified using '#{cert_paths.to_sentence}'"
+          end
+
+          yay "#{filename} OK"
+        end
+
+      end
+
+      def verify_results(results)
+
+        # if options.validate
+        #   results.each do |result|
+        #     next unless result.ok?
+        #     halt! "The data for #{result.identifier} is not valid when checked against schema:\n#{result.validation_error}" unless result.valid?
+        #     btw "Data for #{result.identifier.empty? ? 'aggregate' : result.identifier } has been validated against schema" ## FIXME - needs constistent #label maybe?
+        #   end
+        # end
+        #
+        # return results unless options.verify_with
+        #
+        # cert_paths = extract_certificate_paths(options.verify_with)
+        #
+        # results.each do |result|
+        #   next unless result.ok?
+        #   halt! "Data from #{options.service} is not signed, cannot verify!" unless result.signed?
+        #   halt! "The data for #{result.identifier} cannot be verified using #{cert_paths.to_sentence}" unless result.verified_signature?(cert_paths)
+        #   btw "Data for #{result.identifier.empty? ? 'aggregate' : result.identifier } has been verified using '#{cert_paths.to_sentence}'" ## FIXME - needs constistent #label maybe?
+        # end
+        #
+        # results
+
+      end
+
+    end
+
+    private
+
+  end
+
+end
+
+

data/lib/mdqt/cli/defaults.rb

@@ -0,0 +1,70 @@
+module MDQT
+  class CLI
+
+    class Defaults
+
+      class << self
+
+        def base_url
+
+          ENV['MDQT_SERVICE'] || ENV['MDQ_BASE_URL'] || guess_service
+
+        end
+
+        def force_hash?
+          false
+        end
+
+        def cli_defaults
+          {
+            hash: force_hash?,
+            cache: true,
+            refresh: false
+          }
+        end
+
+        def guess_service
+
+          locale = ENV['LANG']
+
+          service = services.find { |s| s[:locale] == locale }
+          #service ||= services.first
+
+          if service
+            url = service[:url]
+            STDERR.puts "MDQT is assuming that you want to use #{url}\nPlease configure this using --service, MDQT_SERVICE or MDQ_BASE_URL\n\n"
+            url
+          else
+            nil
+          end
+
+        end
+
+        def lookup_service_alias(srv_alias)
+          service = services.find { |s| s[:alias].to_s.downcase.to_sym == srv_alias.to_s.downcase.to_sym }
+          service ? service[:url] : nil
+        end
+
+        def services
+          [
+            { alias: "ukamf",
+              locale: "en_GB.UTF-8",
+              url: "http://mdq.ukfederation.org.uk/"
+            },
+            { alias: "incommon",
+              locale: "en_US.UTF-8",
+              url: "https://mdq.incommon.org/"
+            },
+            { alias: "dfn",
+              locale: "de_utf8",
+              url: "https://mdq.aai.dfn.de/"
+            },
+          ]
+        end
+
+      end
+
+    end
+
+  end
+end

data/lib/mdqt/cli/entities.rb

@@ -0,0 +1,47 @@
+module MDQT
+
+  class CLI
+
+    require 'mdqt/cli/base'
+
+    class Entities < Base
+
+      def run
+
+        options.validate = true
+
+        advise_on_xml_signing_support
+        halt!("Cannot check a metadata file without XML support: please install additional gems") unless MDQT::Client.verification_available?
+
+        client = MDQT::Client.new(
+          service_url(options),
+          verbose: options.verbose,
+          explain: options.explain ? true : false,
+        )
+
+        args.each do |filename|
+
+          file = client.open_metadata(filename)
+
+          halt!("Cannot access file #{filename}") unless file.readable?
+
+          halt!("XML validation failed for #{filename}:\n#{file.validation_error}") unless file.valid?
+
+          file.entity_ids.each do |id|
+            id = options.sha1 ? [id, MDQT::Client::IdentifierUtils.transform_uri(id)].join(" ") : id
+            say(id)
+          end
+
+        end
+
+      end
+
+    end
+
+    private
+
+  end
+
+end
+
+

data/lib/mdqt/cli/get.rb

@@ -0,0 +1,130 @@
+module MDQT
+
+  class CLI
+
+    require 'mdqt/cli/base'
+
+    class Get < Base
+
+      def run
+
+        aggregate_confirmation_check!
+
+        advise_on_xml_signing_support
+
+        results = verify_results(get_responses)
+
+        #results = MetadataAggregator.aggregate_responses(results) if options.aggregate
+
+        output_metadata(results, options)
+
+      end
+
+      def get_responses
+
+        client = MDQT::Client.new(
+          service_url(options),
+          verbose: options.verbose,
+          explain: options.explain ? true : false,
+          tls_risky: options.tls_risky ? true : false,
+          cache_type: MDQT::CLI::CacheControl.cache_type(options),
+        )
+
+        args.empty? ? [client.get_metadata("")] : args.collect { |entity_id| client.get_metadata(entity_id) }
+
+      end
+
+      def verify_results(results)
+
+        if options.validate
+          results.each do |result|
+            next unless result.ok?
+            halt! "The data for #{result.identifier} is not valid when checked against schema:\n#{result.validation_error}" unless result.valid?
+            btw "Data for #{result.identifier.empty? ? 'aggregate' : result.identifier } has been validated against schema" ## FIXME - needs constistent #label maybe?
+          end
+        end
+
+        return results unless options.verify_with
+
+        cert_paths = extract_certificate_paths(options.verify_with)
+
+        results.each do |result|
+          next unless result.ok?
+          halt! "Data from #{options.service} is not signed, cannot verify!" unless result.signed?
+          halt! "The data for #{result.identifier} cannot be verified using #{cert_paths.to_sentence}" unless result.verified_signature?(cert_paths)
+          btw "Data for #{result.identifier.empty? ? 'aggregate' : result.identifier } has been verified using '#{cert_paths.to_sentence}'" ## FIXME - needs constistent #label maybe?
+        end
+
+        results
+
+      end
+
+      def output_metadata(results, options)
+        case action(results, options)
+        when :save_files
+          output_files(results, options)
+        when :print_to_stdout
+          output_to_stdout(results, options)
+        else
+          halt! "Can't determine output type"
+        end
+      end
+
+      def action(results, options)
+        case
+        when options.save_to
+          :save_files
+        else
+          :print_to_stdout
+        end
+      end
+
+      def output_to_stdout(results, options)
+        results.each { |r| puts output(r) }
+      end
+
+      def output_files(results, options)
+        pwd = Pathname.getwd
+        prepare_output_directory(options.save_to)
+        results.each do |result|
+          main_file = output_file_path(result.filename)
+          open(main_file, 'w') { |f|
+            f.puts result.data
+          }
+
+          if options.list
+            puts Pathname.new(main_file).relative_path_from(pwd)
+          end
+
+          yay "Created #{main_file}"
+
+          # if options.link_id
+          #   ["{sha1}#{result.filename.gsub(".xml", "")}"].each do |altname|
+          #     full_alias = output_file_path(altname)
+          #     FileUtils.ln_sf(main_file, full_alias)
+          #     yay "Linked alias #{altname} -> #{main_file}"
+          #   end
+          # end
+
+        end
+      end
+
+      private
+
+      def output_file_path(filename)
+        File.absolute_path(File.join([options.save_to, filename]))
+      end
+
+      def prepare_output_directory(directory)
+        FileUtils.mkdir_p(directory)
+      end
+
+      def aggregate_confirmation_check!
+        halt!("Please specify --all if you wish to request all entities from #{options.service}") if args.empty? && !options.all
+      end
+
+    end
+
+  end
+
+end

data/lib/mdqt/cli/list.rb

@@ -0,0 +1,65 @@
+module MDQT
+
+  class CLI
+
+    require 'mdqt/cli/base'
+
+    class List < Base
+
+      def run
+
+        options.validate = true
+
+        advise_on_xml_signing_support
+
+        halt!("Cannot check a metadata file without XML support: please install additional gems") unless MDQT::Client.verification_available?
+
+        response = get_response
+        result = verify_result(response)
+
+        puts result.entity_ids
+
+      end
+
+      def get_response
+
+        client = MDQT::Client.new(
+          service_url(options),
+          verbose: options.verbose,
+          explain: options.explain ? true : false,
+          tls_risky: options.tls_risky ? true : false,
+          cache_type: MDQT::CLI::CacheControl.cache_type(options),
+        )
+
+        client.get_metadata("")
+
+      end
+
+      def verify_result(result)
+
+        if options.validate
+          halt! "The data for #{result.identifier} is not valid when checked against schema:\n#{result.validation_error}" unless result.valid?
+          btw "Data for #{result.identifier.empty? ? 'aggregate' : result.identifier } has been validated against schema" ## FIXME - needs constistent #label maybe?
+        end
+
+        return result unless options.verify_with
+
+        cert_paths = extract_certificate_paths(options.verify_with)
+
+        halt! "Data from #{options.service} is not signed, cannot verify!" unless result.signed?
+        halt! "The data for #{result.identifier} cannot be verified using #{cert_paths.to_sentence}" unless result.verified_signature?(cert_paths)
+        btw "Data for #{result.identifier.empty? ? 'aggregate' : result.identifier } has been verified using '#{cert_paths.to_sentence}'" ## FIXME - needs constistent #label maybe?
+
+        result
+
+      end
+
+    end
+
+    private
+
+  end
+
+end
+
+

data/lib/mdqt/cli/ln.rb

@@ -0,0 +1,81 @@
+module MDQT
+
+  class CLI
+
+    require 'mdqt/cli/base'
+
+    class Ln < Base
+
+      def run
+
+        options.validate = true
+
+        advise_on_xml_signing_support
+        halt!("Cannot check a metadata file without XML support: please install additional gems") unless MDQT::Client.verification_available?
+
+        client = MDQT::Client.new(
+          options.service,
+          verbose: options.verbose,
+          explain: options.explain ? true : false,
+        )
+
+        halt!("Please specify a file to link to!") if args.empty?
+
+        args.each do |filename|
+
+          next if File.symlink?(filename)
+
+          file = client.open_metadata(filename)
+
+          halt!("Cannot access file #{filename}") unless file.readable?
+          halt!("File #{filename} is a metadata aggregate, cannot create entityID hashed link!") if file.aggregate?
+          halt!("XML validation failed for #{filename}:\n#{file.validation_error}") unless file.valid?
+
+          halt!("Cannot find entityID for #{filename}") unless file.entity_id
+
+          linkname = file.linkname
+
+          if filename == linkname
+            if options.force
+              hey("Warning: Cannot link file to itself, skipping! #{filename}")
+              next
+            else
+              halt!("Cannot link file to itself! #{filename}")
+              next
+            end
+            btw("Cannot link file to itself! #{filename}")
+          end
+
+          if file.turd?
+            hey "Warning: will not process backup/turd files"
+            next
+          end
+
+          message = ""
+
+          if File.exist?(linkname)
+            if options.force
+              File.delete(linkname)
+            else
+              old_target = File.readlink(linkname)
+              message = old_target == filename ? "File exists" : "Conflicts with #{filename}"
+              halt!("#{linkname} -> #{old_target} [#{file.entity_id}] #{message}. Use --force to override")
+              next
+            end
+          end
+
+          File.symlink(filename, linkname)
+          hey("#{linkname} -> #{filename} [#{file.entity_id}] #{message}") if options.verbose
+        end
+
+      end
+
+    end
+
+    private
+
+  end
+
+end
+
+