#!/usr/share/ucs-test/runner python
## desc: Download certificate
## tags: [saml]
## exposure: safe

import urllib2
import re
from univention.config_registry import ConfigRegistry
from univention.testing.utils import fail

def extract_base64_certificate_from_cert(certificate):
	certificate = certificate.replace("\n", "")
	base64_cert = re.search('.*-----BEGIN CERTIFICATE-----(?P<base64>.*)-----END CERTIFICATE-----.*', certificate).group('base64')
	return base64_cert

def extract_base64_certificate_from_metadata(metadata):
	metadata = metadata.replace("\n", "")
	base64_cert = re.search('.*<ds:X509Certificate>(?P<base64>.*)</ds:X509Certificate>.*', metadata).group('base64')
	return base64_cert

if __name__ == '__main__':
	ucr = ConfigRegistry()
	ucr.load()

	metadata_url = ucr['saml/idp/entityID']
	if metadata_url is None:
		fail('The ucr key saml/idp/entityID is not set')
	cert_url = metadata_url.replace('metadata.php', 'certificate')

	res = []

	# read at least five times because ucs-sso is an alias for different IPs
	for i in range(0, 5):
		print '%d: Query cert for %r' % (i, cert_url)
		response = urllib2.urlopen(cert_url)
		cert = response.read()
		if not cert:
			fail('Empty response')
		print cert
		res.append(cert)

	for i in range(0, 4):
		if res[i] != res[i + 1]:
			fail('Certificate is different: %d and %d' % (i, i + 1))

	print("Compare certificate with metadata")
	base64_cert = extract_base64_certificate_from_cert(cert)
	response = urllib2.urlopen(metadata_url)
	metadata = response.read()
	if extract_base64_certificate_from_metadata(metadata) != base64_cert:
		fail('Certificate is different from the certificate in the metadata')
	print("Certificate OK")