metadist/fetchmeta at master · ukf/metadist · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash

#
# fetchmeta
#
# This script replicates the UK federation metadata files from
# the master site to a local directory which is in turn served out
# to federation clients.
#
# As well as replication, this script performs integrity checking on
# the files using the embedded digital signature and a copy of the
# federation's signing certificate to make sure that a spurious
# (damaged or subverted) copy of the metadata is never put into service.
#

HOME=${1:-~wayf}
PATH="$PATH:/usr/local/bin"

#
# Names of the metadata files to be replicated.
#
FILES="
 ukfederation-metadata.xml
 ukfederation-wayf.xml
 ukfederation-test.xml
 ukfederation-back.xml
 ukfederation-export.xml
 ukfederation-export-preview.xml
 ukfederation-cdsall.xml
"

#
# Site from which we pull the metadata files.
#
MASTER=http://master.metadata.ukfederation.org.uk

#
# Name of initial mirror directory; contains a copy of the
# metadata files that duplicates the master site's copy, but
# is not integrity checked.
#
MIRROR=mirror

#
# Name of directory containing verified copies of the files.
# The actual verified copies are ignored because metadatatool
# destroys the timestamp and may reformat the file.
#
VERIFY=verify

#
# Name of the live directory, which will contain a copy of the
# integrity checked metadata files.
#
LIVE=$HOME/metadata

#
# Acquire Java configuration.
#
JAVA_HOME=${JAVA_HOME-/var/UKFED/java/jre1.8.0_73}
export JAVA_HOME

#
# Location of tools
#
WGET=wget
RSYNC=rsync
XMLSECTOOL=/var/UKFED/xmlsectool-1.2.0/xmlsectool.sh

#
# Base wait time.  Set to 0 for testing, higher as a mean random delay
# for each transfer.  This means things won't cluster quite so tightly
# around the nominal update time even if all downloaders start at the
# same time.
#
BASEWAIT=30

#
# Override the above settings from a CONFIG file, if there is one.
#
if [ -f CONFIG ]; then
  . CONFIG
  if [ -n "${TESTING}" ]; then
    echo CONFIG settings in effect:
    echo ...LIVE is ${LIVE}
    echo ...BASEWAIT is ${BASEWAIT}
  fi
fi

#
# Prepare the mirror directory.
#
touch $MIRROR/touched
rm -f $MIRROR/*
#
# Mirror the files from the master metadata site into our local
# directory prior to checking.
#
for file in $FILES
do
  if [ -n "${TESTING}" ]; then
    echo Fetching ${file}...
  fi
  $WGET --timestamping --quiet \
      --wait=$BASEWAIT --random-wait \
      --no-directories --no-host-directories \
      --directory-prefix=$MIRROR \
      $MASTER/$file
done

#
# Prepare the verification directory.
#
touch $VERIFY/touched
rm -f $VERIFY/*
verified=0

#
# Now verify the signature on the mirrored files using metadatatool.
# Also verify that the file is no more than 7 days old. GJG 26-april-2012
#
# The output from the verification step is discarded; if verification
# fails, the output file won't be created.
#
for file in $FILES
do
  if [ -n "${TESTING}" ]; then
    echo Verifying ${file}...
  fi
  ${XMLSECTOOL} --verifySignature --signatureRequired --quiet \
    --certificate ukfederation-2014.pem \
    --inFile $MIRROR/$file --outFile $VERIFY/$file
  if [ -e $VERIFY/$file ]; then
    if test `find $VERIFY/$file -mtime -7`; then
      verified=$(( $verified + 1 ))
    fi
  fi
done

#
# If we managed to verify all the mirrored files, move them
# across to the live directory in a single operation.
#
if [ $verified -eq 7 ]; then
    if [ -n "${TESTING}" ]; then
      echo Syncing to ${LIVE}...
    fi
    $RSYNC --times $MIRROR/*.xml $LIVE
else
    echo "failed to verify all mirrored files: $verified"
    exit 1
fi

#
# END
#