Properly install and document the metagen script

Move metagen.sh out of /etc/shibboleth to /usr/bin/shib-metagen and
install a man page for it.

diff --git a/debian/changelog b/debian/changelog
index ac23b51..aefc8e2 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ shibboleth-sp2 (2.2.1+dfsg-1) UNRELEASED; urgency=low
     - SECURITY: Correctly validate the use attribute of KeyDescriptors,
       preventing use of a key for signing or for encryption if its use
       field says it may not be used for that purpose.
+    - New shib-metagen script for generating Shibboleth SP metadata.
     - Support preserving form data across user authentication.
     - Support internal server redirection while maintaining protection.
     - Fix incompatibility between lazy sessions and servlet containers.

diff --git a/debian/man-pages/shib-metagen.pod b/debian/man-pages/shib-metagen.pod
new file mode 100644 (file)
index 0000000..ce87d71
--- /dev/null
+++ b/debian/man-pages/shib-metagen.pod
@@ -0,0 +1,97 @@
+=head1 NAME
+
+shib-metagen - Generate metadata for a Shibboleth SP
+
+=head1 SYNOPSIS
+
+B<shib-metagen> [B<-c> I<cert> [B<-c> I<cert> ...]] [B<-e> I<entity-id>]
+    [B<-h> I<host> [B<-h> I<host> ...]] [B<-n> I<host> [B<-n> I<host> ...]]
+    [B<-o> I<organization>] [B<-a> I<admin> [B<-a> I<admin> ...]]
+    [B<-s> I<support> [B<-s> I<support> ...]]
+    [B<-t> I<tech> [B<-t> I<tech> ...]]
+
+=head1 DESCRIPTION
+
+Generate metadata for a Shibboleth SP.  The metadata is printed to
+standard output.  Most of the parameters are optional, but at least one of
+B<-h> or B<-n> must be given to specify the hostname to use in
+constructing URLs for the Shibboleth service for the SP.  Other metadata
+can be added by using the other command-line parameters.  Most parameters
+can be given multiple times.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-a> I<admin>
+
+An administrative contact for this Shibboleth SP.  This option may be
+omitted, in which case administrative contact metadata is not included, or
+may be given multiple times to list multiple contacts.  I<admin> should be
+in the form C<I<first>/I<last>/I<email>> where I<first> is the given name
+and I<last> is the surname.
+
+=item B<-c> I<cert>
+
+Specifies the SSL certificate used to identify this Shibboleth SP.  This
+option may be given multiple times to specify multiple certificates.  If
+it is not given, the default certificate is F<sp-cert.pem> in the current
+working directory.
+
+=item B<-e> I<entity-id>
+
+The entity ID for this SP.  This must be a unique identifier for this SP
+and must be a URL.  If B<-o> is given, it is used as the URL for the
+organization running this Shibboleth SP.  If it is not specified, it
+defaults to C<https://I<host>/shibboleth> where I<host> is the argument to
+the first B<-h> option.
+
+=item B<-h> I<host>
+
+A hostname for this SP (possibly a virtual host).  Either this option or
+B<-n> must be specified at least once.  It should be repeated for every
+virtual host that responds to the Shibboleth protocol.  B<-h> should be
+used for hostnames or virtual hosts that use SSL.
+
+=item B<-n> I<host>
+
+A hostname for this SP (possibly a virtual host).  Either this option or
+B<-h> must be specified at least once.  It should be repeated for every
+virtual host that responds to the Shibboleth protocol.  B<-n> should be
+used for hostnames or virtual hosts that do not use SSL to protect the
+Shibboleth communication.
+
+=item B<-o> I<organization>
+
+The name of the organization that runs this Shibboleth SP.  This option
+may be given only once and may be omitted, in which case organization
+metadata is not included.  This is normally not necessary but may be used
+by other software systems for purposes such as displaying lists of
+entities with human-readable names.
+
+=item B<-s> I<support>
+
+A support contact for this Shibboleth SP.  This option may be omitted, in
+which case support contact metadata is not included, or may be given
+multiple times to list multiple contacts.  I<support> should be in the
+form C<I<first>/I<last>/I<email>> where I<first> is the given name and
+I<last> is the surname.
+
+=item B<-t> I<tech>
+
+A technical contact for this Shibboleth SP.  This option may be omitted,
+in which case technical contact metadata is not included, or may be given
+multiple times to list multiple contacts.  I<tech> should be in the form
+C<I<first>/I<last>/I<email>> where I<first> is the given name and I<last>
+is the surname.
+
+=head1 AUTHOR
+
+This manual page was written by Russ Allbery for Debian GNU/Linux.
+
+=head1 COPYRIGHT
+
+Copyright 2009 Russ Allbery.  This manual page is hereby placed into the
+public domain by its author.
+
+=cut

diff --git a/debian/rules b/debian/rules
index 6c0e73a..fa5e4bb 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -95,6 +95,8 @@ install-stamp:
        chmod +x $(CURDIR)/debian/tmp/etc/shibboleth/keygen.sh
        mv $(CURDIR)/debian/tmp/etc/shibboleth/keygen.sh \
            $(CURDIR)/debian/tmp/usr/sbin/shib-keygen
+       mv $(CURDIR)/debian/tmp/etc/shibboleth/metagen.sh \
+           $(CURDIR)/debian/tmp/usr/bin/shib-metagen
        mv $(CURDIR)/debian/tmp/etc/shibboleth/shibd-debian \
            $(CURDIR)/debian/libapache2-mod-shib2.shibd.init
        dh_installdirs -s -i
@@ -107,6 +109,9 @@ install-stamp:
        pod2man $(CURDIR)/debian/man-pages/resolvertest.pod --section 1 \
            --center 'Shibboleth' --release 2.0 \
            $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/resolvertest.1
+       pod2man $(CURDIR)/debian/man-pages/shib-metagen.pod --section 1 \
+           --center 'Shibboleth' --release 2.0 \
+           $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/shib-metagen.1
        pod2man $(CURDIR)/debian/man-pages/shib-keygen.pod --section 8 \
            --center 'Shibboleth' --release 2.0 \
            $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man8/shib-keygen.8