Commit Hooks#
The Curity Identity Server provides a way to run scripts when a configuration transaction has been committed. This can be useful to run administrative tasks, such as logging, backup or sending external events.
Put the scripts in <IDSVR_HOME>/usr/bin/post-commit-cli-scripts and <IDSVR_HOME>/usr/bin/post-commit-scripts (see details below); no reload or restart is required for the Curity Identity Server to pick them up.
The log file <IDSVR_HOME>/var/log/post-commit-scripts.log contains the output of the scripts and audit-data about running or skipped scripts.
Both types of scripts have access to the environment variables the Curity Identity Server has access to. For the .cli scripts, $EPOCH_TIMESTAMP is also available, with value the epoch timestamp of the script’s execution.
Commit Hook CLI Scripts#
CLI commit hook scripts can be very useful for exporting the current configuration. They take advantage of the Command Line Interface .
The Curity Identity Server executes all .cli files in <IDSVR_HOME>/usr/bin/post-commit-cli-scripts within the command-line-interface context when a configuration change has been committed.
Example: Export a full config backup in xml:
Listing 01 Example post-commit cli-script that creates a config backup
show configuration | display xml | save /tmp/config-backup.${EPOCH_TIMESTAMP}.xmlExample: Create a json file with the current active nodes:
Listing 02 Example post-commit cli-script that stores the service uptime in json format
show environments environment services runtime-service | display json | save /tmp/runtime-service.${EPOCH_TIMESTAMP}.jsonExample: export the configuration into multiple xml files:
Listing 03 Example post-commit cli-script that creates a fine-grained config backup, where each sub-tree is in different file.
show configuration profiles profile <authentication-profile-id> | display xml | save /tmp/authentication-profile-backup.${EPOCH_TIMESTAMP}.xml
show configuration profiles profile <token-service-profile-id> | display xml | save /tmp/token-service-profile-backup.${EPOCH_TIMESTAMP}.xml
show configuration facilities | display xml | save /tmp/facilities-backup.${EPOCH_TIMESTAMP}.xml
show configuration processing | display xml | save /tmp/processing-backup.${EPOCH_TIMESTAMP}.xml
show configuration aaa | display xml | save /tmp/aaa-backup.${EPOCH_TIMESTAMP}.xml
show configuration nacm | display xml | save /tmp/nacm-backup.${EPOCH_TIMESTAMP}.xmlCLI scripts that contain the commit command are ignored as they could cause a cyclic behavior.
Commit Hook Scripts#
The Curity Identity Server executes all executable files under <IDSVR_HOME>/usr/bin/post-commit-scripts when a configuration change has been committed.
Example: Send an email to notify of a configuration change.
Listing 04 Example post-commit script that sends an email
#!/bin/bash
T=`date +%s`
ADMIN_EMAIL="admin@example.com"
echo "Sending email to ${ADMIN_EMAIL}"
mail -s "Configuration updated" ${ADMIN_EMAIL} << EOF
AutoGenerated email from Curity Identity Server
Current timestamp: ${T}
EOFExample: Use the idsh command to export all the procedures and format them to javascript.
Be careful when using idsh within a post-commit script. Accidentally commiting a (non-idempotent) change here could cause an infinite loop.
Listing 05 Example post-commit script that saves all configured procedures into javascript files (Advanced).
#!/bin/bash
T=`date +%s`
TARGET=/tmp/${T}
mkdir -p ${TARGET}
function _export_procedures() {
type=$1
procedures=$(idsh <<< "show configuration processing procedures $type | display-level 1")
while IFS= read -r procedure
do
procedure=$(echo $procedure | sed 's/\;//g')
name=$(echo $procedure | awk '{split($0, column, " "); print column[2]}')
echo "Exporting procedure $type $name"
b64_script=$(idsh <<< "show configuration processing procedures $type $name script")
b64_script=$(echo $b64_script | sed 's/.*script \(.*\);.*/\1/')
mkdir -p $TARGET/$type
echo $b64_script | base64 -D > $TARGET/$type/$name.js
done <<< "$procedures"
}
function _export_procedures_with_subtype() {
type=$1
procedures=$(idsh <<< "show configuration processing procedures $type | display-level 1")
while IFS= read -r procedure
do
procedure=$(echo $procedure | sed 's/\;//g')
name=$(echo $procedure | awk '{split($0, column, " "); print column[2]}')
subtype=$(echo $procedure | awk '{split($0, column, " "); print column[3]}')
echo "Exporting token procedure $type $name"
b64_script=$(idsh <<< "show configuration processing procedures $type $name $subtype script")
b64_script=$(echo $b64_script | sed 's/.*script \(.*\);.*/\1/')
mkdir -p $TARGET/$type/$subtype
echo $b64_script | base64 -D > $TARGET/$type/$subtype/$name.js
done <<< "$procedures"
}_export_procedures_with_subtype token-procedure
_export_procedures filter-procedure
_export_procedures transformation-procedure
_export_procedures event-listener-procedure
_export_procedures validation-procedure
Since post-commit scripts are run when a transaction has been committed, but before any locks have been released, it is advisable not to run tasks with long durations.