Allow URLs as SAML metadata certificate file

* this will issue a warning on startup however, as it's recommended to provide a local file

Allow URLs as SAML metadata certificate file
* this will issue a warning on startup however, as it's recommended to provide a local file
2ce326c2 · Moser, Maximilian · 1fb917cd · 2ce326c2 · 2ce326c2
Commit 2ce326c2 authored 1 year ago by Moser, Maximilian
--- a/Dockerfile
+++ b/Dockerfile
 # https://hub.docker.com/_/satosa
 FROM satosa:8
+USER root
+RUN apt-get update && apt-get install -y curl
+USER satosa
 COPY run.sh /usr/local/bin
 CMD ["/usr/local/bin/run.sh"]
--- a/run.sh
+++ b/run.sh
@@ -2,6 +2,8 @@
 #
 # script for starting SATOSA with Gunicorn with a set of SSL/TLS files

+set -euo pipefail
+
 SATOSA_GUNICORN_KEY="${SATOSA_GUNICORN_KEY:-ssl/gunicorn.key}"
 SATOSA_GUNICORN_CERT="${SATOSA_GUNICORN_CERT:-ssl/gunicorn.crt}"
 SATOSA_CONFIG="${SATOSA_CONFIG:-$(pwd)/proxy_conf.yaml}"
@@ -20,6 +22,16 @@ if [[ ! -f "${SATOSA_GUNICORN_CERT}" ]]; then
    SATOSA_GUNICORN_CERT="ssl/test.crt"
 fi

+if [[ -z "${SATOSA_SAML_METADATA_CERT_FILE}" ]]; then
+    echo >&2 "WARN: no metadata signing key specified!"
+
+elif [[ "${SATOSA_SAML_METADATA_CERT_FILE}" =~ ^https:// ]]; then
+    echo >&2 "WARN: fetching metadata certificate from '${SATOSA_SAML_METADATA_CERT_FILE}'!"
+    curl -fso "config/saml-metadata-signing.crt" "${SATOSA_SAML_METADATA_CERT_FILE}"
+    SATOSA_SAML_METADATA_CERT_FILE="config/saml-metadata-signing.crt"
+    export SATOSA_SAML_METADATA_CERT_FILE
+fi
+
 if [[ ! -f "oidc-clients.json" ]]; then
    echo >&2 "ERROR: could not find the file 'oidc-clients.json'!"
    exit 1