#!/usr/bin/perl
## 18/07/2014, Olivier Salaün
## Command-line client for the Test IdP Account Manager
use strict;
use utf8;
use lib "/opt/testidp/IdPAccountManager/lib", ;
use lib "/opt/testidp/IdPAccountManager/conf";
use Getopt::Long;
use POSIX;
use IdPAccountManager::TestAccount;
use IdPAccountManager::SAMLMetadata;
use IdPAccountManager::ServiceProvider;
use IdPAccountManager::AuthenticationToken;
my %options;
unless (&GetOptions(\%options, 'help', 'add_test_account', 'account_profile=s', 'sp_entityid=s', 'list_test_accounts', 'parse_federation_metadata',
'list_service_providers','list_authentication_tokens', 'get_authentication_token', 'add_authentication_token','email_address=s',
'token=s','send_notice','filter_expired','delete','add_service_provider','contacts=s','displayname=s')) {
die "Unknown options.";
}
if ($options{'help'}) {
printf "$0 --add_test_account --account_profile=<profile_id> --sp_entityid=<entityid>\n";
}
if ($options{'add_test_account'}) {
unless ($options{'account_profile'}) {
die "Missing account_profile option";
}
unless ($options{'sp_entityid'}) {
die "Missing sp_entityid option";
}
my $test_account = new IdPAccountManager::TestAccount(account_profile => $options{'account_profile'},
sp_entityid => $options{'sp_entityid'});
unless (defined $test_account) {
IdPAccountManager::Tools::do_log('error',"Failed to create test account");
exit -1;
}
unless ($test_account->save()) {
IdPAccountManager::Tools::do_log('error',"Failed to create test account");
exit -1;
}
printf "Account created:\n\tuserid: user%d\n\tpassword: %s\n", $test_account->get('id'), $test_account->get('user_password');
}elsif ($options{'list_test_accounts'}) {
my %args;
if ($options{'sp_entityid'}) {
push @{$args{'query'}}, 'sp_entityid' => $options{'sp_entityid'};
}
if ($options{'account_profile'}) {
push @{$args{'query'}}, 'account_profile' => $options{'account_profile'};
}
if ($options{'filter_expired'}) {
push @{$args{'query'}}, 'expiration_date' => {lt => time};
}
my $all = IdPAccountManager::TestAccount::list_test_accounts(%args);
if ($#{$all} < 0) {
printf "No matching test account in DB\n";
}
foreach my $test_account (@$all) {
$test_account->print();
$test_account->delete || die if ($options{'delete'});
}
if ($options{'delete'}) {
printf "%d accounts removed\n", $#{$all}+1;
## Update simpleSamlPhp configuration file
printf "Update simpleSamlPhp configuration file...\n";
IdPAccountManager::Tools::update_ssp_authsources();
}
}elsif ($options{'parse_federation_metadata'}) {
my $federation_metadata = new IdPAccountManager::SAMLMetadata;
unless ($federation_metadata->load(federation_metadata_file_path => $Conf::global{'federation_metadata_file_path'})) {
die;
}
my %args;
if ($options{'sp_entityid'}) {
$args{'filter_entity_id'} = $options{'sp_entityid'};
}
unless ($federation_metadata->parse(%args)) {
die;
}
printf "Document %s parsed\n", $Conf::global{'federation_metadata_file_path'};
## List SAML entities
printf "Hashref representing the metadata:\n";
&IdPAccountManager::Tools::dump_var($federation_metadata->{'federation_metadata_as_hashref'}, 0, \*STDOUT);
}elsif ($options{'add_service_provider'}) {
unless ($options{'sp_entityid'}) {
die "Missing sp_entityid option";
}
unless ($options{'contacts'}) {
die "Missing contacts option";
}
## Check if entry already exists in DB first
my $service_provider = new IdPAccountManager::ServiceProvider(entityid => $options{'sp_entityid'});
if ($service_provider->load(speculative => 1)) {
printf "Entry for %s already in DB; update it with new data\n", $options{'sp_entityid'};
$service_provider->contacts($options{'contacts'});
$service_provider->displayname($options{'displayname'}) if ($options{'displayname'});
}else {
$service_provider = new IdPAccountManager::ServiceProvider(entityid => $options{'sp_entityid'},
contacts => $options{'contacts'},
displayname => $options{'displayname'});
unless (defined $service_provider) {
IdPAccountManager::Tools::do_log('error',"Failed to create service provider");
exit -1;
}
}
unless ($service_provider->save()) {
IdPAccountManager::Tools::do_log('error',"Failed to create service provider");
exit -1;
}
printf "Service Provider created:\n";
}elsif ($options{'list_service_providers'}) {
my %args;
my $all = IdPAccountManager::ServiceProvider::list_service_providers(%args);
if ($#{$all} < 0) {
printf "No service provider in DB\n";
}
foreach my $service_provider (@$all) {
$service_provider->print();
}
}elsif ($options{'list_authentication_tokens'}) {
my %args;
if ($options{'sp_entityid'}) {
push @{$args{'query'}}, 'sp_entityid' => $options{'sp_entityid'};
}
if ($options{'token'}) {
push @{$args{'query'}}, 'token' => $options{'token'};
}
if ($options{'filter_expired'}) {
push @{$args{'query'}}, 'creation_date' => {lt => time-($Conf::global{'tokens_validity_period'} * 3600)};
}
my $all = IdPAccountManager::AuthenticationToken::list_authentication_tokens(%args);
if ($#{$all} < 0) {
printf "No corresponding token found in DB\n";
}
foreach my $authentication_token (@$all) {
$authentication_token->print();
$authentication_token->delete || die if ($options{'delete'});
}
if ($options{'delete'}) {
printf "%d tokens removed\n", $#{$all}+1;
}
}elsif ($options{'get_authentication_token'}) {
my %args;
if ($options{'token'}) {
$args{'token'} = $options{'token'};
}
my $authentication_token = new IdPAccountManager::AuthenticationToken(%args);
unless ($authentication_token->load()) {
die "No corresponding token found in DB\n";
}
if ($options{'sp_entityid'}) {
unless ($authentication_token->get('sp_entityid') eq $options{'sp_entityid'}) {
die "Authentication token cannot be used for this SP\n";
}
}
$authentication_token->print();
}elsif ($options{'add_authentication_token'}) {
unless ($options{'email_address'}) {
die "Missing email_address option";
}
unless ($options{'sp_entityid'}) {
die "Missing sp_entityid option";
}
my $authentication_token = new IdPAccountManager::AuthenticationToken();
unless (defined $authentication_token) {
IdPAccountManager::Tools::do_log('error',"Failed to create token object");
exit -1;
}
unless ($authentication_token->set('email_address' => $options{'email_address'},
'sp_entityid' => $options{'sp_entityid'})) {
IdPAccountManager::Tools::do_log('error',"Failed to set token value");
exit -1;
}
unless ($authentication_token->save()) {
IdPAccountManager::Tools::do_log('error',"Failed to create token");
exit -1;
}
$authentication_token->print();
}elsif ($options{'send_notice'}) {
unless ($options{'email_address'}) {
die "Missing email_address option";
}
unless (&IdPAccountManager::Tools::mail_notice('template' => 'templates/mail/notification_generic_error.tt2.eml',
'data' => {},
'to' => $options{'email_address'})) {
die "Failed to send mail notice to $options{'email_address'}\n";
}
printf "Mail notice sent to $options{'email_address'}\n";
}else {
die "Missing arguments";
}
__END__
=head1 NAME
IdPAccountManager::Tools - Command line client to the Test Account manager
=head1 SYNOPSIS
./bin/account-manager-client.pl --list_authentication_tokens
=head1 DESCRIPTION
The Test Account manager instanciates test accounts associated to a SAML Identity Provider.
This script provides a command-line interface for most functions.
=head1 EXAMPLES
=over 8
=item C<account-manager-client.pl --add_test_account --account_profile=student1 --sp_entityid=https://test.federation.renater.fr/test/ressource>
Adds a new test account.
=item C<account-manager-client.pl --list_test_accounts --sp_entityid=https://test.federation.renater.fr/test/ressource --account_profile=student1>
List all test accounts. Criterias can be added to filter test accounts.
=item C<account-manager-client.pl --list_test_accounts --filter_expired>
List all expired test accounts.
=item C<account-manager-client.pl --list_test_accounts --filter_expired --delete>
Remove all expired test accounts from DB.
=item C<account-manager-client.pl --parse_federation_metadata>
Parses the SAML metadata file, as defined by the C<federation_metadata_file_path> configuration parameter.
=item C<account-manager-client.pl --list_authentication_tokens --sp_entityid=https://test.federation.renater.fr/test/ressource --token=dhj67sjJ>
List all authentication tokens. Criterias can be added to filter tokens.
=item C<account-manager-client.pl --list_authentication_tokens --filter_expired>
List all expired authentication tokens.
=item C<account-manager-client.pl --list_authentication_tokens --filter_expired --delete>
Remove all expired authentication tokens from DB.
=item C<account-manager-client.pl --get_authentication_token --token=dhj67sjJ>
Get informations on a token.
=item C<account-manager-client.pl --add_authentication_token --email_address=john@my.fqdn --sp_entityid=https://test.federation.renater.fr/test/ressource>
Adds a new test account.
=item C<account-manager-client.pl --send_notice --email_address=john@my.fqdn>
Sends a mail notice to the specified email address.
=item C<account-manager-client.pl --add_service_provider --sp_entityid=='https://test.federation.renater.fr/test/ressource --displayname='Test SP' --contacts=email1@dom,email2@dom>
Adds a new Service provider
=back
=head1 AUTHOR
Olivier Salaün (olivier.salaun@renater.fr)