From e1fdf4d7d999568267d299f078a5be0b5aeda189 Mon Sep 17 00:00:00 2001
From: Christopher McAvaney <christopher.mcavaney@gmail.com>
Date: Tue, 28 Mar 2023 13:52:16 +1100
Subject: [PATCH 1/2] handling idP and SP metadata

also fixing encryption and signing certificates - they don't always both exist
---
 nagios-check-saml-entity.py | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/nagios-check-saml-entity.py b/nagios-check-saml-entity.py
index 47423bc..98c657e 100755
--- a/nagios-check-saml-entity.py
+++ b/nagios-check-saml-entity.py
@@ -93,7 +93,11 @@ def nagios_exit(message, code):
 
     # Expiration check on the TLS certificate of the SAML ACS URL
     if args.acs_url_tls_cert_days:
-        acs_res = mds.assertion_consumer_service(entity_id=args.entity)
+        # determine if the metadta pertains to an idP or SP
+        if 'idpsso_descriptor' in mds[args.entity]:
+            acs_res = mds.single_sign_on_service(entity_id=args.entity)
+        else:
+            acs_res = mds.assertion_consumer_service(entity_id=args.entity)
         acs_url = next(iter(acs_res), {}).get("location")
         hostname = urlparse(acs_url).hostname
         if urlparse(acs_url).scheme == 'https':
@@ -123,9 +127,14 @@ def nagios_exit(message, code):
             warn_msg.append("Non-HTTPS Assertion Consumer Service URL: " + acs_url)
 
     if args.saml_cert_days:
-        certs = list(set(
-            [mds.certs(entity_id=args.entity, descriptor='any', use='encryption')[0][1]] +
-            [mds.certs(entity_id=args.entity, descriptor='any', use='signing')[0][1]]))
+        _encryption_cert = mds.certs(entity_id=args.entity, descriptor='any', use='encryption')
+        _signing_cert = mds.certs(entity_id=args.entity, descriptor='any', use='signing')
+        cert_set = set()
+        if len(_encryption_cert) > 0:
+            cert_set.add(_encryption_cert[0][1])
+        if len(_signing_cert) > 0:
+            cert_set.add(_signing_cert[0][1])
+        certs = list(cert_set)
         if len(certs) > 0:
             for i in certs:
                 cert = x509.load_der_x509_certificate(base64.b64decode(i), default_backend())

From ec78a6fffc1df8c5b671bb69ddaba3c6b1ba66b2 Mon Sep 17 00:00:00 2001
From: Dick Visser <dick.visser@geant.org.test-google-a.com>
Date: Tue, 28 Mar 2023 14:18:02 +0200
Subject: [PATCH 2/2] Update nagios-check-saml-entity.py

---
 nagios-check-saml-entity.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nagios-check-saml-entity.py b/nagios-check-saml-entity.py
index 98c657e..7ef240e 100755
--- a/nagios-check-saml-entity.py
+++ b/nagios-check-saml-entity.py
@@ -93,7 +93,7 @@ def nagios_exit(message, code):
 
     # Expiration check on the TLS certificate of the SAML ACS URL
     if args.acs_url_tls_cert_days:
-        # determine if the metadta pertains to an idP or SP
+        # determine if the metadata pertains to an idP or SP
         if 'idpsso_descriptor' in mds[args.entity]:
             acs_res = mds.single_sign_on_service(entity_id=args.entity)
         else: